W3C home > Mailing lists > Public > www-svg@w3.org > November 2004

Re: SVG 1.2 Comment: B.2.3 Socket Connections

From: Peter Sorotokin <psorotok@adobe.com>
Date: Thu, 04 Nov 2004 12:37:04 -0800
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Cc: www-svg@w3.org
Message-id: <>

At 01:19 PM 11/4/2004 -0600, Boris Zbarsky wrote:
>Peter Sorotokin wrote:
>>>The problem is that it allows evil.com, say, to make it look like John 
>>>Smith, who was just looking at the nice SVG image on evil.com, was 
>>>sending spam through the mail servers run by randomisp.net...
>>But evil.com would have to hack randomisp.net site and inject its code there.
>No, it would not.  It would just need to make John's computer make (or try 
>to make) a socket connection to randomisp.net.  This could happen 
>automatically the moment John loads an evil.com webpage.  I would not be 
>surprised if certain kinds of connection attempts are illegal in some 
>jurisdictions within a few years' time.

Cross-host connections are certainly outlawed. Even for URLRequest.

>>Essentially, two things have to happen: hackable HTTP server and open 
>>SMTP server on the same machine. They do happen - and that is the 
>>problem, not Socket APIs.
>No, the hackable HTTP server is absolutely not required here.  The open 
>SMTP server makes the problem worse, but the problem is there even without 
>the open SMTP server.
>>>Since the socket connection is made from John Smith's machine
>This was the key part.  Did you notice it?

Certainly, it is just I was under assumptions that everyone understood that 
cross-host connections are not allowed. So evil.org page can connect only 
back to evil.org server.


>>What if randomisp.net also allows sending mail through port 80 (Web 
>>Service or some sort of custom POST, etc)?
>Of course. You have to block both access to random ports and access to any 
>host but the originating one...  Which radically reduces utility, 
>unfortunately  :(.
Received on Thursday, 4 November 2004 20:37:31 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 March 2017 09:47:01 UTC