Re: new feature request

On 03/05/2015 03:50 AM, Robert Longson wrote:
> SMIL event handling in images is off for good reason see
> and
> so it's not
> coming back unless you can address the security concerns.

For the record, that vulnerability required more than interactivity --
it required interactivity *plus the ability to load remote resources*.
With SVG in an image context (in Firefox at least), remote loads are
blocked, so that attack scenario fails.  Basically, you can try to
keylog, but there's no way to phone home to report the logged keys.

So, I can't immediately think of a way for attackers to *exploit*
SVG-image interactivity to log keystrokes.  Though, people could e.g.
use custom avatars or "weird magic trick" image-posts that *appear* to
the user to be capturing their keystrokes (by playing them back) -- even
though they're merely *reacting* to them, & can't persistently save them
or phone home.

So, I suspect it might theoretically be safe to allow SMIL to handle
events in SVG-as-an-image context. (clicks at least, & perhaps
keystrokes depending on how concerned you are about trolling)

But nonetheless, as Dirk brought up elsethread: even if it were safe &
we added interactivity to SVG images, that might become a disincentive
for social media sites to accept SVG uploads, depending on their
expected limitations for users' uploaded content like avatars & photos.


Received on Tuesday, 17 March 2015 07:14:34 UTC