- From: Dirk Schulze <dschulze@adobe.com>
- Date: Tue, 6 Nov 2012 15:00:59 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi, I am one of the editors of the CSS Masking specification[1]. The specification has a security section[2] and I got the advice to ask at webappsec for a security review. Note that the spec and this section in question is in an early stag. I am very happy to get suggestions. To the context =========== SVG can reference so called SVG resources. SVG resources can be paint servers, masks, clip-paths, filters. These are style description in pure XML markup, referenced by an IRI in a style property: <svg> <mask id="mask"> <rect width="100" height="100" /> </mask> </svg> <div style="mask: url(#mask)"> In this case the div box gets masked by the content of the referenced <mask> element. Problems: * Cycle references: <mask id="a" xlink:href="#b"/><mask id="b" xlink:href="#a"/> Since SVG resources can nearly always reference other SVG resources, a cycle detection algorithm marks and tracks visited nodes and stops if a cycle is detected for all SVG resources. This is an implementation detail but noted in SVG 1.1. * Reference to external documents: IRI allows cross document references by IRI. <mask xlink:href="http://external.com/image.svg#mask"/> This element reference might be in a different document on a different domain. The last point is problematic, since it should not be allowed to reference cross domain resources. The security section in CSS Masking aims to specify this for <mask> and <clipPath>. Please ask if you need more information. I am happy to provide more details if needed. Greetings, Dirk [1] http://dvcs.w3.org/hg/FXTF/raw-file/tip/masking/index.html [2] http://dvcs.w3.org/hg/FXTF/raw-file/tip/masking/index.html#security
Received on Tuesday, 6 November 2012 23:05:41 UTC