- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sun, 02 Jun 2013 00:03:23 -0400
- To: Dirk Schulze <dschulze@adobe.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 6/1/13 11:54 PM, Dirk Schulze wrote: > To focus on clip-path: Do I understand you correctly that there is no difference in the security consideration between my two examples (inline path and <use> reference of path in same document)? They both allow exfiltrating the path information. Are they both allowed in your proposal? That's the part I'm trying to understand. > If yes. Do you think there is a security breach with the potential recovery of the path data inside of <clipPath>? Allowing cross-origin exfiltration of _arbitrary_ path geometry seems like an entirely unacceptable security breach to me. Your example shows that cross-origin <use> allows such exfiltration. Therefore, we can't allow cross-origin <use> without putting some sort of mitigations in place. Exfiltration of just path geometry that is explicitly being used as a clipping path by the source being exfiltrated from is somewhat questionable, but it's not obvious to me whether it would contain sensitive data in practice. I would suggest we should err on the side of assuming it would, since this is the sort of thing that's really hard to close down once you open it up... Does that answer your question? I'm really not quite sure what you're really asking here. -Boris
Received on Sunday, 2 June 2013 04:03:53 UTC