- From: Daniel Holbert <dholbert@mozilla.com>
- Date: Tue, 15 Sep 2015 13:10:53 -0700
- To: robert@ocallahan.org, "public-fx@w3.org" <public-fx@w3.org>, www-style <www-style@w3.org>
On 09/14/2015 04:49 PM, Robert O'Callahan wrote: > I don't understand the minutes very well, but heycam says authors want > SVG images that can load external resources for sharing purposes, i.e., > the "animated mode" from here: > https://svgwg.org/specs/integration/#animated-mode > > We don't support that mode currently because it can lead to surprising, > privacy-harming behavior for Web sites that allow third-party image > uploads and have open redirectors. Example Even without an open redirector, there are cases with surprising/undesirable behaviors. One example that I've thought about recently: sites that try to work around ad-blockers by serving 3rd-party ad banners from their own domain (via a server-side proxy). If we grant same-origin-loading privileges to SVG images, then these ad banners could pull in arbitrary resources from the site that the user is visiting, e.g. to make the ad look more personalized. Hypothetical scenario which demonstrates the problem: (1) Some site, say socialnetwork.com, serves banner-image ads provided by adserver.com. (2) A user of that site has an ad-blocker extension which blocks connections to adserver.com. (3) When that user visits socialnetwork.com, the site detects that the ad failed to load. It then updates the ad-banner <img> element to now point to a resource on socialnetwork.com (instead of adserver.com), and it transparently proxies that URI (server-side) to actually load a resource from the ad network. (4) Now the ad successfully loads (because the ad blocker allows resources from socialnetwork.com). BUT: also, now the browser sees the ad image as being same-origin with socialnetwork.com. (5) An sneaky advertiser takes advantage of this by constructing an SVG ad-banner, which tries to reference the user's profile image (which let's say lives at a well-known URI like socialnetwork.com/currentUser/profile.jpg) as an <svg:image> inside of the ad. (6) So now, the user sees an ad-banner with their own photo *inside of the ad*. If we allow SVG images to load same-origin resources, then this would totally work, and would be surprising to the social network site. They were presumably sweet-talked into allowing 3rd-party ads to be served via their own domain, as a way of getting around ad-blockers, because they bought into the reasonable assumption that (unlike e.g. scripts) images were self-contained things that had no special same-origin privileges. ~Daniel
Received on Tuesday, 15 September 2015 20:11:24 UTC