[SVGMobile12] Connection interface is impossible to implement safely from Ian Hickson on 2006-07-22 (www-svg@w3.org from July 2006)

From: Ian Hickson <ian@hixie.ch>
Date: Sat, 22 Jul 2006 04:32:07 +0000 (UTC)
To: www-svg@w3.org
Message-ID: <Pine.LNX.4.62.0607220428030.4826@dhalsim.dreamhost.com>

The Connection interface (A.7.3) is impossible to implement without 
exposing the UA to security vulnerabilities. This is the case even if one 
dramatically limits the possible actions one could do with this API, for 
example limiting the host to the same as the content's host, and the port 
to the same as the content's port, would still allow for XSS attacks.

Please either make support of this API optional, clearly marking it as 
being inappropriate for use on the Web, or, redesign it such that it does 
not expose UA vendors to security flaws by design.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 22 July 2006 04:32:19 UTC