ISSUE-2071
filter security
potential security hole involving pointer-events, filters, foreignObject, cross-origin IFRAMEs, and elementFromPoint
- State:
- OPEN
- Product:
- SVG Core 2.0
- Raised by:
- Doug Schepers
- Opened on:
- 2008-09-25
- Description:
Robert O'Callahan <http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html>: [[ It seems that using clever combinations of SVG 1.1 features, untrusted content can capture the rendering of a third-party site ... depending on some very subtle stuff in the spec. The idea is to start with image.svg which contains a <foreignObject> which contains an <iframe> of the site you wish to capture, say mail.google.com. Then you wrap that foreignObject in a <filter> which uses <feColorMatrix> and <feComponentTransfer> to map some pixel values to alpha=0 and other pixel values to alpha=1. Then you create another document, say outer.svg, which contains <image src="image.svg" style="pointer-events:painted">. Then in outer.svg, using the non-SVG but common-in-Web-UAs DOM API "elementFromPoint", you can hit-test over <image> to see which pixels have nonzero alpha. This could be used by some evil site to capture and transmit the contents of intranet sites or certain Web applications the user might auto-login to, so it's very serious. Fortunately I don't think this works in any UA yet; Firefox doesn't support pointer-events, Safari doesn't support <filter> and I believe Opera doesn't handle <foreignObject> in filters. Now, pointer-events:painted says that alpha-value testing should only be applied to "raster images", and technically <image src="image.svg"> is not a *raster* image, so perhaps we can use that loophole to say that in fact pointer-events does not test alpha values for that image. But it feels strange for pointer-events to depend on the actual image type there, and it feels even worse for that to be the only defense against a serious security hole. But I don't have any better ideas at the moment. ]]
- Related Actions Items:
- ACTION-2477 on Doug Schepers to Propose a solution for ISSUE-2071, referring to external resources and how that affects security (\"tainting\" an svg) and how that might apply to methods like elementFromPoint - due 2009-02-26, open
- Related emails:
- Fwd: Minutes, SVG Telcon, 23 Nov 2009 (from codedread@gmail.com on 2009-11-25)
- Minutes, SVG Telcon, 23 Nov 2009 (from schepers@w3.org on 2009-11-25)
- Minutes Sydney 2009 F2F day 4 (from cam@mcc.id.au on 2009-02-19)
- Minutes Feb 2, 2009 telcon (from ed@opera.com on 2009-02-02)
- Regrets, 2 February 2009 telcon (from schepers@w3.org on 2009-02-02)
- Agenda, 2 February 2009 telcon (from cam@mcc.id.au on 2009-02-02)
- Re: potential security hole involving ... elementFromPoint (ISSUE-2071) (from robert@ocallahan.org on 2008-09-27)
- Re: potential security hole involving ... elementFromPoint (ISSUE-2071) (from schepers@w3.org on 2008-09-26)
- ISSUE-2071 (filter security): potential security hole involving pointer-events, filters, foreignObject, cross-origin IFRAMEs, and elementFromPoint [SVG Full 1.1] (from sysbot+tracker@w3.org on 2008-09-25)
Related notes:
No additional notes.
Display change log
