Re: [filter-effects][css-masking] Move security model for resources to CSP from Dirk Schulze on 2013-06-02 (public-webappsec@w3.org from June 2013)

From: Dirk Schulze <dschulze@adobe.com>
Date: Sat, 1 Jun 2013 20:54:07 -0700
To: Boris Zbarsky <bzbarsky@MIT.EDU>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <9AFED6AF-F79B-4215-BA04-F054B95C1E5B@adobe.com>

On Jun 2, 2013, at 12:13 PM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:

> Webkit doesn't actually convert the input strings to IRIs until much 
> later in the pipeline, which leads to all sorts of inconsistencies in 
> its handling of URIs, in my experience, depending on which codepath 
> converts to IRI and which just uses the input string and what they do 
> with the input strings.
> 
> I would be strongly opposed to doing the WebKit thing in Gecko, because 
> it's a very difficult model to not mistakes in, as an engine developer.

What WebKit does depends on where you use IRI referencing and I did not say that Gecko should use the somehow broken behavior of WebKit.

> On 6/1/13 11:11 PM, Boris Zbarsky wrote:
>> That is my concern, precisely.  Once you have some piece of geometry
>> being used as a clip, you can get its geometry information to whatever
>> precision you want using elementFromPoint.  Furthermore, you can get
>> color information too, using a combination of filters and
>> pointer-events, as far as I can tell.  See
>> http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html
> 
> Er, sorry.  This was much more confused than I thought when I wrote it. 
>  Let me try again.
> 
> If you have geometry being used as clip, you can get geometry 
> information from it, but not color information.
> 
> If you have something being painted on top of other stuff, then 
> combining filters and pointer-events seems like it can let you extract 
> both geometry and color information.

pointer-events are indeed problematic in it's current definition (SVG 1.1) and we spoke about the security concerns multiple times. I think they should be addressed separately. (I do not think that "draw visible" should be taken literally and make the decision on alpha=0.)

To focus on clip-path: Do I understand you correctly that there is no difference in the security consideration between my two examples (inline path and <use> reference of path in same document)?

If yes. Do you think there is a security breach with the potential recovery of the path data inside of <clipPath>?

Greetings,
Dirk

> 
> -Boris
>

Received on Sunday, 2 June 2013 03:54:35 UTC