W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Dirk Schulze <dschulze@adobe.com>
Date: Tue, 9 Apr 2013 06:51:34 -0700
To: Anne van Kesteren <annevk@annevk.nl>
CC: "robert@ocallahan.org" <robert@ocallahan.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>
Message-ID: <C23DE449-83CC-4F83-8FDA-B21092E9D33D@adobe.com>

On Apr 9, 2013, at 6:49 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Apr 9, 2013 at 2:45 PM, Dirk Schulze <dschulze@adobe.com> wrote:
>> I actually just was reminded on one possible security flaw with SVG image and external references.
>> 
>> Take an account at Twitter or Facebook. For both it is not possible to upload an SVG as image. One reason could be the following scenario:
>> * I upload an SVG file and add a image reference in the SVG file <image xlink:href="/>
>> * This reference has a different origin where the image (e.g a PNG) is hosted
>> * The sever hosting this image now can log how often the image was loaded and can make assumptions how often the user profile was clicked on this portal.
> 
> I suggest reading carefully through the bug Robert referenced and my
> analyses in response. We discussed exactly this.

Great! To be honest it is a bit hard to follow.

> 
> 
> --
> http://annevankesteren.nl/
Received on Tuesday, 9 April 2013 13:52:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC