- From: Tab Atkins <tabatkins@google.com>
- Date: Wed, 16 Mar 2011 13:52:27 -0700
- To: John Hudson <tiro@tiro.com>
- Cc: Chris Lilley <chris@w3.org>, WOFF Working Group FONT <public-webfonts-wg@w3.org>
On Wed, Mar 16, 2011 at 12:59 PM, John Hudson <tiro@tiro.com> wrote: > Chris wrote: > >> HTML already allows people to be misled: > >> <a href="http://www.givemecash.ca" >> title="http://scotiabank.ca">scotiabank.ca</a> > > True, but using web fonts something like > > <a href="http://www.givemecash.ca" > title="http://scotiabank.ca">scotiabank.ca</a>www.givemecash.ca</a> > > could display as text on screen with the appearance 'scotiabank.ca'. The > security issue is the same, but able to be leveraged in new ways. Displays where? In the page? There's no new leverage here - as Chris said, the ability to use confusing link text has always existed, and using webfonts to deliver confusing link text gets you nothing. Elsewhere in the chrome, the page's styles don't apply. If the user looks at the destination in the status bar or the address bar, they'll get the real address. If they do a view-source, they'll get browser-chosen fonts, which will show the link text as normal. I don't see where any new vulnerability or source of confusion can be introduced. ~TJ
Received on Wednesday, 16 March 2011 20:52:59 UTC