- From: Peter Sorotokin <psorotok@adobe.com>
- Date: Wed, 03 Nov 2004 17:26:38 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: www-svg@w3.org
At 12:52 AM 11/4/2004 +0000, Ian Hickson wrote: >[snip] > > > A more serious attack would be for untrusted injected script to make a > > > direct connection to port 25 (SMTP). That would allow spam to be sent > > > from client machines. Since the interfaces would be available to any > > > script in UAs that implement SVG (not just in SVG drawings, which are > > > very rare and thus less of an attack vector), this would basically > > > mean that any HTML site that can be attacked via script injection > > > (which is a lot of them) goes from being subject to cross-domain > > > attacks (rarely a major problem on such insecure sites) to being a > > > potential spam relay point (very bad). > > > > How it is different than, say, Java applets? > >It isn't. Java applets are not trusted, and require the user to agree to >running them in most secure UAs. Most secure UAs can block these connections (or require user to approve it for a specific host, verify signatures, etc.). We are not imposing our security model on UAs, we just outlining baseline expectations. Peter >[snip]
Received on Thursday, 4 November 2004 01:27:03 UTC