Re: Cross domain resource from Boris Zbarsky on 2012-10-26 (www-svg@w3.org from October 2012)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 26 Oct 2012 17:06:51 -0400
To: www-svg@w3.org
Message-ID: <508AFB6B.8000605@mit.edu>

On 10/26/12 4:20 PM, Dirk Schulze wrote:
> After more investigation, cross domain references of resources can indeed be a problem for XSS. For instance this seems not to be disallowed by the spec (Note: A script is running on the mask element when loaded):
>
> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
> <mask id="mask" onload="console.log('CORS? Of course!')"/>
> </svg>

For what it's worth, Gecko does not run scripts in resource documents, 
period, even same-origin ones.

> Adam Barth notes that cross referencing could be used to query the fragments on the external resource. Together with JavaScript you could try to search for certain ID's in the external document.

Well, you can also extract geometry data from the external document, right?

-Boris

Received on Friday, 26 October 2012 21:07:21 UTC