RE: new feature request from David Dailey on 2015-03-05 (www-svg@w3.org from March 2015)

From: David Dailey <ddailey@zoominternet.net>
Date: Thu, 5 Mar 2015 13:52:29 -0500
To: "'Robert Longson'" <longsonr@gmail.com>, <www-svg@w3.org>
Message-ID: <003201d05775$87d5cbb0$97816310$@net>

Oh ick!  Thanks Robert! I know you don’t really delight in bringing such news;)

 

Would there be any  simpler way to solve the security problem short of tossing out the use cases?

 

If I read it correctly, the problem comes in when using something like

<set attributeName="fill" begin="accessKey(a)" to="red" />

 

I’m not sure how, without script,  one would  be able to use this to exploit something, but I acknowledge that those discussing the issue know a lot more about securing browsers than I do. But realistically, do people ever use begin=”accessKey(a)” in declarative programming in SVG? I never did, though it sounds sorta cool.  Perhaps one could just turn that off until the security thing is fixed, or just turn it off in the context of HTML <img> if that makes sense. 

 

Regards

David

 

From: Robert Longson [mailto:longsonr@gmail.com] 
Sent: Thursday, March 05, 2015 6:50 AM
To: www-svg@w3.org
Subject: Re: new feature request

 

SMIL event handling in images is off for good reason see https://bugzilla.mozilla.org/show_bug.cgi?id=704482 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3663 so it's not coming back unless you can address the security concerns.

Robert.

Received on Thursday, 5 March 2015 18:53:09 UTC