W3C home > Mailing lists > Public > www-svg@w3.org > July 2006

[SVGMobile12] Connection interface is impossible to implement safely

From: Ian Hickson <ian@hixie.ch>
Date: Sat, 22 Jul 2006 04:32:07 +0000 (UTC)
To: www-svg@w3.org
Message-ID: <Pine.LNX.4.62.0607220428030.4826@dhalsim.dreamhost.com>


The Connection interface (A.7.3) is impossible to implement without 
exposing the UA to security vulnerabilities. This is the case even if one 
dramatically limits the possible actions one could do with this API, for 
example limiting the host to the same as the content's host, and the port 
to the same as the content's port, would still allow for XSS attacks.

Please either make support of this API optional, clearly marking it as 
being inappropriate for use on the Web, or, redesign it such that it does 
not expose UA vendors to security flaws by design.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Saturday, 22 July 2006 04:32:19 GMT

This archive was generated by hypermail 2.3.1 : Friday, 8 March 2013 15:54:35 GMT