Security model review CSS Masking

Hi,

I am one of the editors of the CSS Masking specification[1]. The specification has a security section[2] and I got the advice to ask at webappsec for a security review. Note that the spec and this section in question is in an early stag. I am very happy to get suggestions.

To the context
===========

SVG can reference so called SVG resources. SVG resources can be paint servers, masks, clip-paths, filters. These are style description in pure XML markup, referenced by an IRI in a style property:

<svg>
	<mask id="mask">
		<rect width="100" height="100" />
	</mask>
</svg>
<div style="mask: url(#mask)">

In this case the div box gets masked by the content of the referenced <mask> element.

Problems:
* Cycle references: <mask id="a" xlink:href="#b"/><mask id="b" xlink:href="#a"/> Since SVG resources can nearly always reference other SVG resources, a cycle detection algorithm marks and tracks visited nodes and stops if a cycle is detected for all SVG resources. This is an implementation detail but noted in SVG 1.1.
* Reference to external documents: IRI allows cross document references by IRI. <mask xlink:href="http://external.com/image.svg#mask"/> This element reference might be in a different document on a different domain.

The last point is problematic, since it should not be allowed to reference cross domain resources. The security section in CSS Masking aims to specify this for <mask> and <clipPath>.

Please ask if you need more information. I am happy to provide more details if needed.

Greetings,
Dirk

[1] http://dvcs.w3.org/hg/FXTF/raw-file/tip/masking/index.html
[2] http://dvcs.w3.org/hg/FXTF/raw-file/tip/masking/index.html#security

Received on Tuesday, 6 November 2012 23:05:41 UTC