Re: SVG 1.2 Comment: B.2.3 Socket Connections

At 12:52 AM 11/4/2004 +0000, Ian Hickson wrote:
>[snip]
> > > A more serious attack would be for untrusted injected script to make a
> > > direct connection to port 25 (SMTP). That would allow spam to be sent
> > > from client machines. Since the interfaces would be available to any
> > > script in UAs that implement SVG (not just in SVG drawings, which are
> > > very rare and thus less of an attack vector), this would basically
> > > mean that any HTML site that can be attacked via script injection
> > > (which is a lot of them) goes from being subject to cross-domain
> > > attacks (rarely a major problem on such insecure sites) to being a
> > > potential spam relay point (very bad).
> >
> > How it is different than, say, Java applets?
>
>It isn't. Java applets are not trusted, and require the user to agree to
>running them in most secure UAs.

Most secure UAs can block these connections (or require user to approve it 
for a specific host, verify signatures, etc.). We are not imposing our 
security model on UAs, we just outlining baseline expectations.

Peter

>[snip]

Received on Thursday, 4 November 2004 01:27:03 UTC