Re: Interactive Declarative Animation in <img> from Daniel Holbert on 2015-03-26 (www-svg@w3.org from March 2015)

From: Daniel Holbert <dholbert@mozilla.com>
Date: Thu, 26 Mar 2015 15:50:16 -0700
To: Doug Schepers <schepers@w3.org>, David Dailey <ddailey@zoominternet.net>, 'www-svg' <www-svg@w3.org>, 'Chris Lilley' <chris@w3.org>
message-id: <55148D28.8090904@mozilla.com>

On 03/26/2015 10:49 AM, Doug Schepers wrote:
>> Semi-strawman suggestion: maybe we'd even want to allow mousewheel
>> scrolling of overflow:scroll content?  This doesn't seem very
>> "image-like", but it is in line with a "secure interactive animated
>> mode".
> 
> Huh! I hadn't thought of that.
> 
> You mean for panning, or for zooming?

Neither -- I was talking about e.g.:
  <svg>
  <foreignObject>
    <div style="height: 50px; overflow:scroll">
      lots of text lots of text lots of text

So, an explicitly-scrollable chunk of HTML, nested inside the SVG.

> If you just mean scrolling, that should be handled by
> overflow:scroll(-x|y), right? (BTW, I don't think that would necessitate
> us sending the events to the image itself,

(I'm talking about an overflow:scroll sub-region *inside the image*.)

>> "Navigation of links" scares me.
[...]
> Consider 2 very common cases:
> 
> * image maps
> * advertisements
> 
> You would argue that those are links outside the image itself, in the
> HTML; fair enough. But is that necessary? Does it change security or
> privacy in any way?

Yes. Two counter-examples where this would be very bad:
 (1) Suppose I run an image-sharing site. Users can upload images, but
can't do much else. Their photos are displayed in <img> tags that I
control. I would be very upset if suddenly browsers started allowing
these <img> tags to be linkified (potentially to dangerous/objectionable
content).

 (2) Suppose I run a site "AwesomeWebPortal", and I accept ad-banner
images. They're just images displayed with <img>, so I feel pretty safe.
Now, with your proposal, someone can provide a scammy ad-banner that
says "You've been logged out of AwesomeWebPortal; please log back in
with this virtual keyboard." And then the user clicks the image to type
out his password (and maybe this ends up appending a version of his
password to the image URL, via anchor navigation). Then the user clicks
the "submit" button in the image, which goes to a custom
attacker-controlled URL, which maybe depends on what the user has
clicked up until that point. Their password has now been leaked.

> If someone clicks on an image, such as an ad, don't
> they think they are actually interacting with the image, and not some
> invisible handler in the hosting page?

Maybe. But consider the page author's perspective -- if this is a
user/advertiser-supplied image, the page author may not want to *allow*
the image to be linkified, though (aside from maybe an
explicitly-allowed <a> link that the page-author has control over). The
page author *could* add an overlay to block interaction, but they
wouldn't expect there's any nead for this, because surely <img> elements
can't be linkified unless done explicitly with <a>.

Received on Thursday, 26 March 2015 22:50:47 UTC