W3C home > Mailing lists > Public > www-svg@w3.org > November 2004

Re: SVG 1.2 Comment: B.2.3 Socket Connections

From: Peter Sorotokin <psorotok@adobe.com>
Date: Wed, 03 Nov 2004 17:26:38 -0800
To: Ian Hickson <ian@hixie.ch>
Cc: www-svg@w3.org
Message-id: <5.2.0.9.2.20041103172252.04e6ceb8@mailsj-v1.corp.adobe.com>

At 12:52 AM 11/4/2004 +0000, Ian Hickson wrote:
>[snip]
> > > A more serious attack would be for untrusted injected script to make a
> > > direct connection to port 25 (SMTP). That would allow spam to be sent
> > > from client machines. Since the interfaces would be available to any
> > > script in UAs that implement SVG (not just in SVG drawings, which are
> > > very rare and thus less of an attack vector), this would basically
> > > mean that any HTML site that can be attacked via script injection
> > > (which is a lot of them) goes from being subject to cross-domain
> > > attacks (rarely a major problem on such insecure sites) to being a
> > > potential spam relay point (very bad).
> >
> > How it is different than, say, Java applets?
>
>It isn't. Java applets are not trusted, and require the user to agree to
>running them in most secure UAs.

Most secure UAs can block these connections (or require user to approve it 
for a specific host, verify signatures, etc.). We are not imposing our 
security model on UAs, we just outlining baseline expectations.

Peter

>[snip]
Received on Thursday, 4 November 2004 01:27:03 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 5 February 2014 07:14:52 UTC