- From: Daniel Holbert <dholbert@mozilla.com>
- Date: Tue, 17 Mar 2015 00:13:56 -0700
- To: www-svg@w3.org
- Cc: Robert Longson <longsonr@gmail.com>
On 03/05/2015 03:50 AM, Robert Longson wrote: > SMIL event handling in images is off for good reason see > https://bugzilla.mozilla.org/show_bug.cgi?id=704482 and > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3663 so it's not > coming back unless you can address the security concerns. For the record, that vulnerability required more than interactivity -- it required interactivity *plus the ability to load remote resources*. With SVG in an image context (in Firefox at least), remote loads are blocked, so that attack scenario fails. Basically, you can try to keylog, but there's no way to phone home to report the logged keys. So, I can't immediately think of a way for attackers to *exploit* SVG-image interactivity to log keystrokes. Though, people could e.g. use custom avatars or "weird magic trick" image-posts that *appear* to the user to be capturing their keystrokes (by playing them back) -- even though they're merely *reacting* to them, & can't persistently save them or phone home. So, I suspect it might theoretically be safe to allow SMIL to handle events in SVG-as-an-image context. (clicks at least, & perhaps keystrokes depending on how concerned you are about trolling) But nonetheless, as Dirk brought up elsethread: even if it were safe & we added interactivity to SVG images, that might become a disincentive for social media sites to accept SVG uploads, depending on their expected limitations for users' uploaded content like avatars & photos. ~Daniel
Received on Tuesday, 17 March 2015 07:14:34 UTC