W3C home > Mailing lists > Public > www-style@w3.org > October 2012

Re: [css4-images] support for SVG Paint Servers without element()

From: Dirk Schulze <dschulze@adobe.com>
Date: Thu, 25 Oct 2012 15:33:15 -0700
To: Boris Zbarsky <bzbarsky@MIT.EDU>
CC: "www-style@w3.org" <www-style@w3.org>
Message-ID: <E83CDFED-4255-43B2-A0D6-F9C30F1E63D2@adobe.com>

On Oct 25, 2012, at 12:07 AM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:

> On 10/24/12 5:56 PM, Dirk Schulze wrote:
>> Means resources like SVG mask, gradient,patterns,filters,clippath must
>> be from the same origin?
> 
> Yes.
> 
>> Why that?
> 
> Because masking and such are detectable (e.g. for hit-testing), so if 
> you do cross-origin loads there you can read information cross-origin 
> from SVG files by using various parts of those files as masks.

I'll bring it up on the next SVG telcon. An example document with security issue would still be useful.

Greetings,
Dirk

> 
>> SVG does not have such restrictions.
> 
> The SVG spec doesn't have much in the way of security considerations at 
> all.  It's been a problem in the past.
> 
>>> The latter can't be changed without breaking compat, but changing the
>>> former may expose security issues.
>> 
>> Can you give me an example? How can an external mask cause a security
>> issue?
> 
> See above.
> 
>> How do you handle it on pure SVGs?
> 
> Exactly the same way: all paint servers and whatnot must be same-origin 
> with the linking file.  The one "exception" is that paint servers from 
> data: are OK; the concept of "origin" for data: is as usual a bit fuzzy.
> 
> -Boris
> 
Received on Thursday, 25 October 2012 22:34:22 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:21:01 GMT