W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 31 May 2013 14:12:08 -0400
Message-ID: <51A8E7F8.5000308@mit.edu>
To: Dirk Schulze <dschulze@adobe.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 5/31/13 2:06 PM, Dirk Schulze wrote:
> It is restricted to all information within the same document at the clipPath element. The document is tainted.

No, you misunderstand.

What I am worried about is if I have a document at evil.com that links 
to an SVG at mybank.com as an external resource document.  Once it's 
done that, what information can it extract from the mybank.com document?

For example, if the mybank.com document is a graph represented in SVG, 
can evil.com exfiltrate the graph data somehow?  If it can, then such 
linking cannot be allowed.

-Boris
Received on Friday, 31 May 2013 18:12:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC