- From: Doug Schepers <schepers@w3.org>
- Date: Fri, 26 Sep 2008 02:41:06 -0400
- To: robert@ocallahan.org
- CC: www-svg <www-svg@w3.org>
Hi, Rob- Man, you have a sneaky mind. I'm glad you're the one writing a browser! Thanks for bringing this up. We've logged it in the Tracker (ISSUE-2071), and will be discussing this soon. If you'd like to schedule a brainstorming session, please let us know and we'll set up a time that works for you. Once we come up with a solution, we will issue an errata on this. Thanks- -Doug, on behalf of the SVG WG Robert O'Callahan wrote (on 9/25/08 12:09 AM): > It seems that using clever combinations of SVG 1.1 features, untrusted > content can capture the rendering of a third-party site ... depending on > some very subtle stuff in the spec. > > The idea is to start with image.svg which contains a <foreignObject> which > contains an <iframe> of the site you wish to capture, say mail.google.com. > Then you wrap that foreignObject in a <filter> which uses <feColorMatrix> > and <feComponentTransfer> to map some pixel values to alpha=0 and other > pixel values to alpha=1. Then you create another document, say outer.svg, > which contains <image src="image.svg" style="pointer-events:painted">. Then > in outer.svg, using the non-SVG but common-in-Web-UAs DOM API > "elementFromPoint", you can hit-test over <image> to see which pixels have > nonzero alpha. > > This could be used by some evil site to capture and transmit the contents of > intranet sites or certain Web applications the user might auto-login to, so > it's very serious. Fortunately I don't think this works in any UA yet; > Firefox doesn't support pointer-events, Safari doesn't support <filter> and > I believe Opera doesn't handle <foreignObject> in filters. > > Now, pointer-events:painted says that alpha-value testing should only be > applied to "raster images", and technically <image src="image.svg"> is not a > *raster* image, so perhaps we can use that loophole to say that in fact > pointer-events does not test alpha values for that image. But it feels > strange for pointer-events to depend on the actual image type there, and it > feels even worse for that to be the only defense against a serious security > hole. > > But I don't have any better ideas at the moment. > > Rob
Received on Friday, 26 September 2008 06:41:41 UTC