- From: Tab Atkins <tabatkins@google.com>
- Date: Wed, 16 Mar 2011 14:31:01 -0700
- To: John Hudson <tiro@tiro.com>
- Cc: Chris Lilley <chris@w3.org>, WOFF Working Group FONT <public-webfonts-wg@w3.org>
On Wed, Mar 16, 2011 at 2:25 PM, John Hudson <tiro@tiro.com> wrote: > Tab Atkins wrote: >> There's no new leverage here - as Chris >> said, the ability to use confusing link text has always existed, and >> using webfonts to deliver confusing link text gets you nothing. > > The example Chris provided involved using misleading title text within the > link tag. What I am describing is using misleading glyphs in the display of > actual text on the page, i.e. a served font with a hacked cmap table that > maps glyphs to characters in such a way that the appearance of a text string > is changed to read as something else. No, Chris's example used misleading text both in the title attribute and in the link text. The only clue about the actual destination was the href attribute. This is precisely the same as your vulnerability. ~TJ
Received on Wednesday, 16 March 2011 21:31:31 UTC