ISSUE-2071 (filter security): potential security hole involving pointer-events, filters, foreignObject, cross-origin IFRAMEs, and elementFromPoint [SVG Full 1.1] from SVG Working Group Issue Tracker on 2008-09-25 (public-svg-wg@w3.org from July to September 2008)

From: SVG Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Thu, 25 Sep 2008 07:25:35 -0400 (EDT)
To: public-svg-wg@w3.org
Message-Id: <20080925112535.2CE7E4DD65@crusher.w3.org>

ISSUE-2071 (filter security): potential security hole involving pointer-events, filters, foreignObject, cross-origin IFRAMEs, and elementFromPoint [SVG Full 1.1]

http://www.w3.org/Graphics/SVG/WG/track/issues/2071

Raised by: Doug Schepers
On product: SVG Full 1.1

Robert O'Callahan
<http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html>:
[[
It seems that using clever combinations of SVG 1.1 features, untrusted
content can capture the rendering of a third-party site ... depending on
some very subtle stuff in the spec.

The idea is to start with image.svg which contains a <foreignObject> which
contains an <iframe> of the site you wish to capture, say mail.google.com.
Then you wrap that foreignObject in a <filter> which uses <feColorMatrix>
and <feComponentTransfer> to map some pixel values to alpha=0 and other
pixel values to alpha=1. Then you create another document, say outer.svg,
which contains <image src="image.svg" style="pointer-events:painted">. Then
in outer.svg, using the non-SVG but common-in-Web-UAs DOM API
"elementFromPoint", you can hit-test over <image> to see which pixels have
nonzero alpha.

This could be used by some evil site to capture and transmit the contents of
intranet sites or certain Web applications the user might auto-login to, so
it's very serious. Fortunately I don't think this works in any UA yet;
Firefox doesn't support pointer-events, Safari doesn't support <filter> and
I believe Opera doesn't handle <foreignObject> in filters.

Now, pointer-events:painted says that alpha-value testing should only be
applied to "raster images", and technically <image src="image.svg"> is not a
*raster* image, so perhaps we can use that loophole to say that in fact
pointer-events does not test alpha values for that image. But it feels
strange for pointer-events to depend on the actual image type there, and it
feels even worse for that to be the only defense against a serious security
hole.

But I don't have any better ideas at the moment.
]]

Received on Thursday, 25 September 2008 11:26:08 UTC