W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Dirk Schulze <dschulze@adobe.com>
Date: Sat, 1 Jun 2013 15:40:06 -0700
To: Boris Zbarsky <bzbarsky@MIT.EDU>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <622DF5D8-D797-42D8-BB1E-51383A01495B@adobe.com>

On Jun 2, 2013, at 7:16 AM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:
> I assume we're disregarding timing channel attacks for the time being, 
> right?

The time channel attack gets interesting when you can assume content based on different rendering times or calculation times. This is not the case for any of these elements as for the current state of knowledge.


> As much as "must be inside <clipPath> SVG".

I do not understand why you distinguish between path inside <clipPath> or outside <clipPath>. Following example:

<svg>
<clipPath>
   <path d="."/>
</clipPath>
</svg>

Does the same as 

<svg>
<path id="path" d="."/>
<clipPath>
   <use xlink:href="#path">
</clipPath>
</svg>

Both would work in the suggested model. For both you do not have access to the path data when you just reference the resource. <use> would just have limited access to elements within the same document. Roc said that Firefox has special checking for fragment identifiers before checking IRI. WebKit basically has something similar. This is no requirement, but makes the implementation of the security model easier.

The only way to get an approximation of the original path is to inspect the hit region on the clipped element (the element is on your evil domain) with mouseover or elementFromPoint as discussed in the previous mail. If that is not your concern, then I don't understand what can be of any concern.

Greetings,
Dirk
Received on Saturday, 1 June 2013 22:40:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC