Security model review CSS Masking


I am one of the editors of the CSS Masking specification[1]. The specification has a security section[2] and I got the advice to ask at webappsec for a security review. Note that the spec and this section in question is in an early stag. I am very happy to get suggestions.

To the context

SVG can reference so called SVG resources. SVG resources can be paint servers, masks, clip-paths, filters. These are style description in pure XML markup, referenced by an IRI in a style property:

	<mask id="mask">
		<rect width="100" height="100" />
<div style="mask: url(#mask)">

In this case the div box gets masked by the content of the referenced <mask> element.

* Cycle references: <mask id="a" xlink:href="#b"/><mask id="b" xlink:href="#a"/> Since SVG resources can nearly always reference other SVG resources, a cycle detection algorithm marks and tracks visited nodes and stops if a cycle is detected for all SVG resources. This is an implementation detail but noted in SVG 1.1.
* Reference to external documents: IRI allows cross document references by IRI. <mask xlink:href=""/> This element reference might be in a different document on a different domain.

The last point is problematic, since it should not be allowed to reference cross domain resources. The security section in CSS Masking aims to specify this for <mask> and <clipPath>.

Please ask if you need more information. I am happy to provide more details if needed.



Received on Tuesday, 6 November 2012 23:05:41 UTC