W3C home > Mailing lists > Public > www-svg@w3.org > September 2008

Re: potential security hole involving ... elementFromPoint (ISSUE-2071)

From: Doug Schepers <schepers@w3.org>
Date: Fri, 26 Sep 2008 02:41:06 -0400
Message-ID: <48DC8402.5090108@w3.org>
To: robert@ocallahan.org
CC: www-svg <www-svg@w3.org>

Hi, Rob-

Man, you have a sneaky mind.  I'm glad you're the one writing a browser!

Thanks for bringing this up.  We've logged it in the Tracker
(ISSUE-2071), and will be discussing this soon.  If you'd like to
schedule a brainstorming session, please let us know and we'll set up a
time that works for you.

Once we come up with a solution, we will issue an errata on this.

Thanks-
-Doug, on behalf of the SVG WG

Robert O'Callahan wrote (on 9/25/08 12:09 AM):
> It seems that using clever combinations of SVG 1.1 features, untrusted
> content can capture the rendering of a third-party site ... depending on
> some very subtle stuff in the spec.
> 
> The idea is to start with image.svg which contains a <foreignObject> which
> contains an <iframe> of the site you wish to capture, say mail.google.com.
> Then you wrap that foreignObject in a <filter> which uses <feColorMatrix>
> and <feComponentTransfer> to map some pixel values to alpha=0 and other
> pixel values to alpha=1. Then you create another document, say outer.svg,
> which contains <image src="image.svg" style="pointer-events:painted">. Then
> in outer.svg, using the non-SVG but common-in-Web-UAs DOM API
> "elementFromPoint", you can hit-test over <image> to see which pixels have
> nonzero alpha.
> 
> This could be used by some evil site to capture and transmit the contents of
> intranet sites or certain Web applications the user might auto-login to, so
> it's very serious. Fortunately I don't think this works in any UA yet;
> Firefox doesn't support pointer-events, Safari doesn't support <filter> and
> I believe Opera doesn't handle <foreignObject> in filters.
> 
> Now, pointer-events:painted says that alpha-value testing should only be
> applied to "raster images", and technically <image src="image.svg"> is not a
> *raster* image, so perhaps we can use that loophole to say that in fact
> pointer-events does not test alpha values for that image. But it feels
> strange for pointer-events to depend on the actual image type there, and it
> feels even worse for that to be the only defense against a serious security
> hole.
> 
> But I don't have any better ideas at the moment.
> 
> Rob
Received on Friday, 26 September 2008 06:41:41 GMT

This archive was generated by hypermail 2.3.1 : Friday, 8 March 2013 15:54:40 GMT