W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 31 May 2013 12:46:20 -0400
Message-ID: <51A8D3DC.80901@mit.edu>
To: public-webappsec@w3.org
On 5/31/13 9:48 AM, Dirk Schulze wrote:
> - Referencing internal elements if just a fragment is defined: url(#frag). Absolute paths to the current document would be prohibited.

url(#frag) is canonicalized to an absolute URI at parse time at least in 
Gecko, and that's the URI model in general.  So this is a somewhat 
nonsensical requirement, imo.  Also one that doesn't seem to be needed, 
since the behavior of absolute path to the resource document and 
relative path to the resource document should be exactly identical.

> - No same-origin restriction!

It's not clear to me that this is ok.  <use> across origins sounds like 
a pretty potent data-exfiltration vector to me.

Note that for stylesheets this is in fact a serious problem; there have 
been a number of attacks on this vector with stylesheets in the past, 
browsers have put into place some mitigations, but there are other 
attacks remaining.  The only thing saving stylesheets here is that 
almost no one stores login-required data in CSS.  Is the same true for 
SVG?  I suspect not...

> - Blob (can it be used if no JS is running?)

No, it can't.

> - Events. Events are not only used by JS, but also to trigger SVG Animations (<animate begin="anim1.end" ...). Can events be a problem? Should they be disabled? They currently work in Chrome and FF. I don't think that there is a risk.

I don't think there is a problem with events given lack of scripting.

> This is a huge limitation to the current model of SVG which has no restrictions at all. My hope is that we can finally have a common model that every SVG viewer can agree on and put it into the SVG spec directly.

-Boris
Received on Friday, 31 May 2013 16:46:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC