W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Dirk Schulze <dschulze@adobe.com>
Date: Sat, 1 Jun 2013 11:25:54 -0700
To: Boris Zbarsky <bzbarsky@mit.edu>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <F8C23A00-1C42-45F6-BB4F-3D8F8332CDC0@adobe.com>

On Jun 1, 2013, at 3:12 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 5/31/13 2:06 PM, Dirk Schulze wrote:
>> It is restricted to all information within the same document at the clipPath element. The document is tainted.
> 
> No, you misunderstand.
> 
> What I am worried about is if I have a document at evil.com that links 
> to an SVG at mybank.com as an external resource document.  Once it's 
> done that, what information can it extract from the mybank.com document?
> 
> For example, if the mybank.com document is a graph represented in SVG, 
> can evil.com exfiltrate the graph data somehow?  If it can, then such 
> linking cannot be allowed.

It can't for SVG Masks, SVG Filters and SVG Paint Servers (pattern, linearGradient, radialGradient). They just influence the visual appearance on the screen without read backs.

Hypothetical it could be possible with the content of clipPath (because of hit testing again).
The following example would NOT expose data:
    <clipPath>
        <text>Password</text>
    </clipPath>
SVG does not allow hit testing on glyphs yet. The whole text would be a hit region as a block. Maybe you could run an attack on the glyph dimension, not sure if that could work and is dependent on the font.

But the text can be transformed to a path (for instance with Illustrator). Then evil.com can clip an element with this resource and somehow try to get the hit regions (let the user move over the the object a lot of times like you would do on a lottery scratch ticket).
This would mean that mybank.com would not use a proper session management and that mybank.com goes against every accessibility rule.

Short, this is an extremely unlikely scenario, but in theory still possible.

The clip-path property does allow CSS Shapes as well: clip-path: polygon() [1]. This is very helpful for doing CSS animations or transitions on a clipping path. Do you think that could be a possible threat for privacy as well? (clip-path does have an affect on hit-testing for CSS Shapes according to the spec, even if it is not implemented that way in Blink/WebKit.)

Greetings,
Dirk

[1] http://www.w3.org/TR/2012/WD-css3-exclusions-20120503/#supported-svg-shapes

> 
> -Boris
> 
Received on Saturday, 1 June 2013 18:26:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC