W3C home > Mailing lists > Public > public-cdf@w3.org > December 2005

Re: SVGT 1.2: OriginalEvent underspecified; behavior could be a security risk

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 30 Dec 2005 11:12:02 +0100
To: Maciej Stachowiak <mjs@apple.com>
Cc: www-svg@w3.org, public-cdf@w3.org
Message-ID: <0h1ar1hp4n1nugc2mcmtlldnkptkbnnim2@hive.bjoern.hoehrmann.de>

* Maciej Stachowiak wrote:
>SECURITY ISSUES
>
>Furthermore, it seems to me that cross-inclusion bubbling of events  
>could be a security risk, when used across domains. At least reading  
>this naiively, you could pull off exploits like this:
>
>* Include a web page from a different web server in a full-window  
>foreignObject and install a keyboard/mouse sniffer on it to see what  
>the user is typing into a seemingly other site.
>
>* Get access to elements of the foreign document via  
>event.originalEvent.target and so forth, and then use DOM APIs to  
>inject content into the foreign document.
>
>Is it really necessary to provide cross-domain bubbling like this? It  
>seems like the right way to deal with this is to provide  
>contentDocument attributes on any element that can attach foreign  
>content, subject to the typical security restrictions, then you can  
>attach any event handlers you want, whether capturing or bubbling or  
>what have you.
>
>Therefore I recommend removing this feature and instead providing  
>contentDocument attributes for foreignObject and animation (or  
>skipping over cross-document inclusion issues for now and let the CDF  
>WG handle it).

Note that the CDF Working Group already handled this and the relevant
Working Draft http://www.w3.org/TR/CDR/#event-propagation is in Last
Call aswell. Neither feature as currently specified makes much sense
to me, but it seems most of the issues you raise apply to the CDF draft
aswell; I'd appreciate if you could have a look at the "CDR" draft and
provide feedback to the CDF WG.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 30 December 2005 10:11:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:40 GMT