Attack vectors have two features: they have the power to change the
content of a document, and they are technologies that are not proven and
are changing constantly. This is what CSS 3 is right now. Font-embedding in
particular could become a big security issue, because fonts are binary data
that could contain anything: harmless characters as well as viruses
masquerading as a nice charset. It will be interesting to see how this
develops.
JavaScript
JavaScript makes the Web what it is today. You can use it to build interfaces
that are fun to use and that allow visitors to reach their goals fast and
conveniently. You can and should use JavaScript for the following:
- Create slicker interfaces (e.g. auto-complete, asynchronous uploading)
- Warn users about flawed entries (password strength, for instance)
- Extend the interface options of HTML to become an application
language (sliders, maps, combo boxes, etc.) - Create visual effects that cannot be done safely with CSS (animation,
menus, etc.)
JavaScript is very powerful, though, which also means that it is a security
issue:
- JavaScript gives you full access to the document and allows you to post
data to the Internet - Yo u c a n re a d c o o k i e s a n d s e n d t h e m e l s e w h e re
- JavaScript is also fully readable by anyone using a browser