W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Robert O'Callahan <robert@ocallahan.org>
Date: Wed, 10 Apr 2013 14:51:24 +1200
Message-ID: <CAOp6jLb=0d_9zeoaihwnYjYs261XFpj-A=nMFV20Uci53qcjPA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Dirk Schulze <dschulze@adobe.com>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>
On Wed, Apr 10, 2013 at 1:25 AM, Robert O'Callahan <robert@ocallahan.org>wrote:

> On Wed, Apr 10, 2013 at 1:15 AM, Anne van Kesteren <annevk@annevk.nl>wrote:
>
>> Furthermore, people could be tricked into loading the SVG
>> resource directly! (It's not something you want to host same-origin
>> for instance, whereas hosting a PNG same-origin is always fine.)
>>
>
> That is a good point. I think we didn't consider that, and that may mean
> it's just not safe to host uploaded SVG images at all currently, at least
> not without severe sanitization. Needs more thought than I can give it
> tonight.
>

It seems to me that with our current restrictions on SVG images, Web
developers can safely host SVG images in a "sandbox" domain, and safely use
those images cross-origin from the main site.

If we enable external loads for SVG images, the examples of trickery in
https://bugzilla.mozilla.org/show_bug.cgi?id=628747#c0 are enabled against
such sites.

So I still don't see any painless solution here.

Rob
-- 
q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq
qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq
qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq
qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q
qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq
qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Wednesday, 10 April 2013 02:51:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC