W3C home > Mailing lists > Public > www-svg@w3.org > October 2012

Re: Cross domain resource

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 26 Oct 2012 17:06:51 -0400
Message-ID: <508AFB6B.8000605@mit.edu>
To: www-svg@w3.org
On 10/26/12 4:20 PM, Dirk Schulze wrote:
> After more investigation, cross domain references of resources can indeed be a problem for XSS. For instance this seems not to be disallowed by the spec (Note: A script is running on the mask element when loaded):
>
> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
> <mask id="mask" onload="console.log('CORS? Of course!')"/>
> </svg>

For what it's worth, Gecko does not run scripts in resource documents, 
period, even same-origin ones.

> Adam Barth notes that cross referencing could be used to query the fragments on the external resource. Together with JavaScript you could try to search for certain ID's in the external document.

Well, you can also extract geometry data from the external document, right?

-Boris
Received on Friday, 26 October 2012 21:07:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:54:37 UTC