W3C home > Mailing lists > Public > www-svg@w3.org > March 2006

Re: SVG 1.2 Tiny: Networking API issues

From: Chris Lilley <chris@w3.org>
Date: Fri, 3 Mar 2006 07:14:55 +0100
Message-ID: <61459488.20060303071455@w3.org>
To: Maciej Stachowiak <mjs@apple.com>
Cc: www-svg@w3.org, Jeff Schiller <codedread@gmail.com>

On Thursday, March 2, 2006, 6:18:15 PM, Maciej wrote:

MS> On Mar 2, 2006, at 6:39 AM, Chris Lilley wrote:


>> Hello www-svg,

>> Jeff Schiller <codedread@gmail.com> wrote:

>>> I'm no security expert, but what about a script that requests a
>>> connection to the localhost on various ports (i.e. FTP 21, etc) and
>>> sniffs about the local host, then sends the data it finds back to the
>>> server through standard ports? Would that effectively open up your
>>> computer by bypassing any firewall since the "attack" would come from
>>> within the localhost browser or do firewalls watch for that sort of
>>> thing too?

>> There are a number of different security models that might be used by
>> different types of svg implementations.  For example,[...]

I encourage you to re-read this part.

MS> As mentioned before on this list, this model is insufficient for a  
MS> raw socket API that is offered to arbitrary web content.

MS> (1) The real restriction used by web browsers is not just host, but
MS> host+port +scheme. (2)

Yes, that would be another example. It does of course allow access to a
range of other protocols, especially when used with a widely tunnelled
port such as 80.

MS> I think it is unwise to specify networking APIs for the web without 
MS> properly addressing the security considerations.

So on the one hand you list an additional security model, demonstrating
the point that there are a variety of models that may be used depending
on circumstance; and on the other hand you seem to want one specific
security model to be mandated?



-- 
 Chris Lilley                    mailto:chris@w3.org
 Chair, W3C SVG Working Group
 W3C Graphics Activity Lead
 Co-Chair, W3C Hypertext CG
Received on Friday, 3 March 2006 06:14:56 GMT

This archive was generated by hypermail 2.3.1 : Friday, 8 March 2013 15:54:34 GMT