Data Exfiltration via CSS and SVG Font

The ingenuity of these exploits will never cease to amaze me.<p>I&#x27;ve found a few in my time, but nothing ever this cunning.<p>I once figured out that an auction site had a bug allowing a small snippet of HTML in their usernames. I changed my username so that when I bid on an item and my username was displayed on the page it hid the bid button so that no-one else could bid and I won every item for the minimum bid. That didn&#x27;t last long. I got banned and got a very amusing letter in the mail from the managing director saying &quot;Nice try, old chap.&quot;

For those who didn&#x27;t read the article and wondering why you would use svg fonts which are supported only in safari vs the usual technique of woff which is supported everywhere,its because svg allows bypassing csp restrictions if its embedded in same document.<p>I&#x27;m personally kind of surprised that you can have font-src: &#x27;none&#x27; in csp, but still allow specifying an svg font as #foo to load from same document without violating csp. I kind of thought you&#x27;d need &#x27;self&#x27; or something. data: is already banned by this type of policy.