Re: Cross domain resource from Dirk Schulze on 2012-10-27 (www-svg@w3.org from October 2012)

From: Dirk Schulze <dschulze@adobe.com>
Date: Fri, 26 Oct 2012 19:01:10 -0700
To: Boris Zbarsky <bzbarsky@MIT.EDU>
CC: "www-svg@w3.org" <www-svg@w3.org>
Message-ID: <7F458153-1FBD-4AEC-995A-531390EEA591@adobe.com>

On Oct 27, 2012, at 3:42 AM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:

> On 10/26/12 9:20 PM, Dirk Schulze wrote:
>> That is an interesting concept. Is it described in a different spec?
> 
> <shrug>.  I have no idea.
> 
> I thought SVG used to have a section describing how external resources 
> should work, but I can't find it in the unsearchable under-linked mess 
> that is SVG 1.1 right now.  And it's obviously not in 1.2 Tiny, since 
> that doesn't have external resources.
Time to do the spec work then :)

> 
>> I think our tries load the fragment into the same document. Which would be harder to detect.
> 
> I can't make sense of those two sentences, sorry.
> 
>> But we still don't support external resources like clipPath mask or paint servers yet.
> 
> Right.
> 
>> Mask does not affect hit testing, but clipPath does (the only resource). But it does not expose this region without the interaction of the user (move mouse over clipped region).
> 
> It doesn't affect the behavior of Document.elementFromPoint?
Hm. It may does :/ Reading the spec it should.

> 
> It doesn't affect the mouseover/out/move events UAs (well, not WebKit, 
> perhaps, but UAs that are trying to actually update hover state sanely) 
> fire when the mouse is stationary but elements move?
It definitely does affect mouseover events.

Again, this is just the case for clipPath. But it wouldn't make sense to apply special rules for just clipPath.

In Firefox external clipPath elements still affect hit testing, right? But I guess this is not a problem because of the restriction to scripts and to the same origin?

> 
> -Boris
> 
> P.S.  If you haven't seen it before, I highly recommend reading 
> http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html for the 
> sort of attacks you get when combining features...  Are you sure mask 
> does not affect hit testing?
Yes, this is not the only problem. But a very interesting one. In WebKit we don't support iFrames for foreignObjects. I wonder if it wouldn't be easier to have an iframe over the whole page with opacity: 0. The page under the iframe is the bank page. The page in the iframe is your own page with exactly the same layout. But maybe iframe has some more restrictions that make it more safe?

Greetings,
Dirk

Received on Saturday, 27 October 2012 02:01:38 UTC