- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 31 May 2013 12:46:20 -0400
- To: public-webappsec@w3.org
On 5/31/13 9:48 AM, Dirk Schulze wrote: > - Referencing internal elements if just a fragment is defined: url(#frag). Absolute paths to the current document would be prohibited. url(#frag) is canonicalized to an absolute URI at parse time at least in Gecko, and that's the URI model in general. So this is a somewhat nonsensical requirement, imo. Also one that doesn't seem to be needed, since the behavior of absolute path to the resource document and relative path to the resource document should be exactly identical. > - No same-origin restriction! It's not clear to me that this is ok. <use> across origins sounds like a pretty potent data-exfiltration vector to me. Note that for stylesheets this is in fact a serious problem; there have been a number of attacks on this vector with stylesheets in the past, browsers have put into place some mitigations, but there are other attacks remaining. The only thing saving stylesheets here is that almost no one stores login-required data in CSS. Is the same true for SVG? I suspect not... > - Blob (can it be used if no JS is running?) No, it can't. > - Events. Events are not only used by JS, but also to trigger SVG Animations (<animate begin="anim1.end" ...). Can events be a problem? Should they be disabled? They currently work in Chrome and FF. I don't think that there is a risk. I don't think there is a problem with events given lack of scripting. > This is a huge limitation to the current model of SVG which has no restrictions at all. My hope is that we can finally have a common model that every SVG viewer can agree on and put it into the SVG spec directly. -Boris
Received on Friday, 31 May 2013 16:46:49 UTC