- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 28 Jan 2011 15:28:06 -0500
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
On 1/28/11 3:03 PM, Adam Barth wrote: > I agree that controlling which scripts can execute on your page is > useful for mitigating XSS. I don't understand why controlling which > fonts can be loaded by your page has any security impact. Does allowing attackers to rewrite the text on your page (but not run any script) have security impact? Allowing arbitrary font loads allows various attacks that depend on misinforming the user about what buttons and such will do, for example. -Boris
Received on Friday, 28 January 2011 20:29:09 UTC