Yes. I'm talking about @font-face. I know that iframes provide no security benefit, but from what I could gather, the reason Caja can not load font-faces, because browsers can only load new fonts globally and that cannot be sandboxed. What I'm saying is that the caja'ed code is running inside an iframe with caja. In this case, is secure (as long I allow it in url rewrite) to load a font.
On Friday, August 31, 2012 7:28:39 PM UTC+1, Kevin Reid wrote: > > On Fri, Aug 31, 2012 at 6:21 AM, Artur Ventura > <[email protected]<javascript:>> > wrote: > > I'm running a javascript code with forceES5, but I want to whitelist > > font-face. I have no problem with whitelisting it because the code is > > already running inside a iframe, so I can allow it (as long it goes > through > > the url rewrite). > > forceES5 should not be used for actual applications as it is > potentially insecure. iframes provide no security benefit unless the > iframe is from a separate origin (∼ domain). > > Just to confirm, you are talking about the @font-face{...} facility > for downloadable fonts, not a regular CSS property, correct? >
