W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Security model review CSS Masking

From: Dirk Schulze <dschulze@adobe.com>
Date: Tue, 6 Nov 2012 15:00:59 -0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <386C33EA-991E-4727-B35E-68FC451CC7F9@adobe.com>

I am one of the editors of the CSS Masking specification[1]. The specification has a security section[2] and I got the advice to ask at webappsec for a security review. Note that the spec and this section in question is in an early stag. I am very happy to get suggestions.

To the context

SVG can reference so called SVG resources. SVG resources can be paint servers, masks, clip-paths, filters. These are style description in pure XML markup, referenced by an IRI in a style property:

	<mask id="mask">
		<rect width="100" height="100" />
<div style="mask: url(#mask)">

In this case the div box gets masked by the content of the referenced <mask> element.

* Cycle references: <mask id="a" xlink:href="#b"/><mask id="b" xlink:href="#a"/> Since SVG resources can nearly always reference other SVG resources, a cycle detection algorithm marks and tracks visited nodes and stops if a cycle is detected for all SVG resources. This is an implementation detail but noted in SVG 1.1.
* Reference to external documents: IRI allows cross document references by IRI. <mask xlink:href="http://external.com/image.svg#mask"/> This element reference might be in a different document on a different domain.

The last point is problematic, since it should not be allowed to reference cross domain resources. The security section in CSS Masking aims to specify this for <mask> and <clipPath>.

Please ask if you need more information. I am happy to provide more details if needed.


[1] http://dvcs.w3.org/hg/FXTF/raw-file/tip/masking/index.html
[2] http://dvcs.w3.org/hg/FXTF/raw-file/tip/masking/index.html#security
Received on Tuesday, 6 November 2012 23:05:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:30 UTC