W3C home > Mailing lists > Public > www-style@w3.org > September 2015

Re: SVG image security restrictions

From: Daniel Holbert <dholbert@mozilla.com>
Date: Tue, 15 Sep 2015 21:23:49 -0700
To: Dean Jackson <dino@apple.com>
Cc: robert@ocallahan.org, "public-fx@w3.org" <public-fx@w3.org>, www-style <www-style@w3.org>
Message-ID: <55F8EED5.30508@mozilla.com>
On 09/15/2015 05:51 PM, Dean Jackson wrote:
> If a site like socialnetwork.com is willing to invisibly proxy requests
> to adserver.com, then aren't they already opening the door for users
> to see their profile pictures in ads? Are you expecting that socialnetwork.com
> was somehow convinced by adserver.com that they'd only ever serve image
> data? In nearly every case I've seen, the adserver gets the site to include
> a script tag, which helps them better track whether the user saw the ad and/or
> interacted with it.

So, brief disclaimer: I heard about this particular ad-blocker-avoiding
proxying scheme via a podcast, so I just got a quick overview and the
impression that this is happening or will soon be happening, but I don't
claim to know details.

But yeah, my understanding is that the *only* dynamically-proxied
resources would be images, because scripts would clearly be unsafe,
because they could trivially get up to all sorts of mischief. (And this
could be enforced by sticking the proxied resources in <img> tags).

I imagine it would work something like this:
 - Ahead of time, the ad network provides the website with a
(relatively-short, easy to audit) management script for handling this
"ad blocker detected" scenario, which would manage all of this behavior.
 - It's in the site's interest to invest resources in auditing & then
hosting this script, because it means they'll get more ad revenue.
 - So: when a user with an ad-blocker visits the site, this script would
run (in the origin of the site), and detect that the ad hadn't loaded,
and would then manage the image proxying. [hand-wave] The important
thing here is that the proxied resource is stuck in an <img> (or in a
CSS background, etc), which means the only resources that can be
usefully proxied are images.
 - Also: in this scenario, the ad network and their management script
are assumed to be *trusted* -- but the individual ads themselves are
*not* necessarily trusted, because they're served up on-the-fly, from
3rd-party advertisers. (And hopefully the ad network is scanning them
for badness, but they're not perfect.) It's these 3rd-parties who we're
worried about being sneaky and providing SVG which incorporates your
same-origin profile image.

> Moving to the model you describe above would mean a lot of
> logic needs to happen in socialnetwork.com's content (did resources from
> adserver load? No, then insert an <img> element, etc...). And this logic
> would have to be reproduced in all sites who want to serve ads this way.
> And it would be a pain to maintain.

As noted above, I'm imagining this would be handled by a script that's
provided by the ad network, which each site could audit. (and would have
an incentive to audit & accept, because it means more ad revenue)

> Basically I'm asking if a site is willing to do invisible server-side proxying,
> aren't there a lot of horrible things that could happen?

No... I don't anything else horrible can happen, if the only thing
they're proxying is the contents of certain <img> banners. (which
presumably could be ensured by auditing the proxy-management script)

~Daniel
Received on Wednesday, 16 September 2015 04:24:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:08:57 UTC