ISSUE-2071: potential security hole involving pointer-events, filters, foreignObject, cross-origin IFRAMEs, and elementFromPoint

filter security

potential security hole involving pointer-events, filters, foreignObject, cross-origin IFRAMEs, and elementFromPoint

State:
OPEN
Product:
SVG 2
Raised by:
Doug Schepers
Opened on:
2008-09-25
Description:
Robert O'Callahan
<http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html>:
[[
It seems that using clever combinations of SVG 1.1 features, untrusted
content can capture the rendering of a third-party site ... depending on
some very subtle stuff in the spec.

The idea is to start with image.svg which contains a <foreignObject> which
contains an <iframe> of the site you wish to capture, say mail.google.com.
Then you wrap that foreignObject in a <filter> which uses <feColorMatrix>
and <feComponentTransfer> to map some pixel values to alpha=0 and other
pixel values to alpha=1. Then you create another document, say outer.svg,
which contains <image src="image.svg" style="pointer-events:painted">. Then
in outer.svg, using the non-SVG but common-in-Web-UAs DOM API
"elementFromPoint", you can hit-test over <image> to see which pixels have
nonzero alpha.

This could be used by some evil site to capture and transmit the contents of
intranet sites or certain Web applications the user might auto-login to, so
it's very serious. Fortunately I don't think this works in any UA yet;
Firefox doesn't support pointer-events, Safari doesn't support <filter> and
I believe Opera doesn't handle <foreignObject> in filters.

Now, pointer-events:painted says that alpha-value testing should only be
applied to "raster images", and technically <image src="image.svg"> is not a
*raster* image, so perhaps we can use that loophole to say that in fact
pointer-events does not test alpha values for that image. But it feels
strange for pointer-events to depend on the actual image type there, and it
feels even worse for that to be the only defense against a serious security
hole.

But I don't have any better ideas at the moment.
]]
Related Actions Items:
Related emails:
  1. minutes, SVG WG Auckland F2F, day 5 (from cam@mcc.id.au on 2011-03-04)
  2. Re: SVG Security ISSUE-2071 (was: Announcement: Last Call WD of SVG 1.1 Second Edition) (from tlr@w3.org on 2010-07-07)
  3. SVG Security ISSUE-2071 (was: Announcement: Last Call WD of SVG 1.1 Second Edition) (from schepers@w3.org on 2010-06-24)
  4. Re: Announcement: Last Call WD of SVG 1.1 Second Edition (from robert@ocallahan.org on 2010-06-24)
  5. Re: Announcement: Last Call WD of SVG 1.1 Second Edition (from schepers@w3.org on 2010-06-23)
  6. Re: Announcement: Last Call WD of SVG 1.1 Second Edition (from robert@ocallahan.org on 2010-06-23)
  7. Re: Announcement: Last Call WD of SVG 1.1 Second Edition (from ed@opera.com on 2010-06-23)
  8. Re: Announcement: Last Call WD of SVG 1.1 Second Edition (from robert@ocallahan.org on 2010-06-23)
  9. Minutes, 7 Jan 2010 SVG WG (from chris@w3.org on 2010-01-07)
  10. Fwd: Minutes, SVG Telcon, 23 Nov 2009 (from codedread@gmail.com on 2009-11-25)
  11. Minutes, SVG Telcon, 23 Nov 2009 (from schepers@w3.org on 2009-11-25)
  12. Minutes Sydney 2009 F2F day 4 (from cam@mcc.id.au on 2009-02-19)
  13. Minutes Feb 2, 2009 telcon (from ed@opera.com on 2009-02-02)
  14. Regrets, 2 February 2009 telcon (from schepers@w3.org on 2009-02-02)
  15. Agenda, 2 February 2009 telcon (from cam@mcc.id.au on 2009-02-02)
  16. Re: potential security hole involving ... elementFromPoint (ISSUE-2071) (from robert@ocallahan.org on 2008-09-27)
  17. Re: potential security hole involving ... elementFromPoint (ISSUE-2071) (from schepers@w3.org on 2008-09-26)
  18. ISSUE-2071 (filter security): potential security hole involving pointer-events, filters, foreignObject, cross-origin IFRAMEs, and elementFromPoint [SVG Full 1.1] (from sysbot+tracker@w3.org on 2008-09-25)

Related notes:

For a security issue this is open a way to long. 4 years and still open.

Dirk Schulze, 27 Oct 2012, 02:07:10

Display change log ATOM feed


Dirk Schulze <dschulze@adobe.com>, Chair, Chris Lilley <chris@w3.org>, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 2071.html,v 1.1 2020/01/17 13:19:23 carcone Exp $