Proposals/Restricted SVG fetching model

Note: This document is work in progress.

Introduction

In the last years, browser vendors experience attacks on the privacy of users by cross-site scripting, visited link data and time tunnel attacks. This lead to several security models like restrictions in CSS or CORS. SVG can be a target privacy attacks as well. Browsers already have several security arrangements in place. It is up to the SVG WG to standardize these approaches in the interest of interoperability and protection of the privacy of the user. This document provides examples of potential security risks, fetching strategies to prevent privacy attacks and a guidance how to use this document for other specifications.

Terminology

Possible risks

SVG makes extensive use of IRI in several places in the spec. With the xlink:href attribute, SVG files can reference and fetch further resources without any restrictions and with as much freedom for the content creator on choosing resources as possible. SVG does not have restrictions for event handlers or scripts. This could be used for cross domain/site attacks. Following scenarios:

1. SVG loaded as image by HTML <img> tag.
   • An SVG file is loaded from domain A: <img src="http://A/image.svg">
   • The SVG files requests an image itself from domain B: <image link:href="http://B/image.png"/>
   • Domain B can now track and count the image loads of the image on domain A
2. Run scripts on loading a <clipPath> resource
   • An SVG clipPath resource is requested from a document on domain A. The resource is on domain B.
   • The clipPath resource on domain B has animations with even handlers.
   • The scripts run on domain B. Same origin wouldn't protect other resources on domain B.

More examples using fonts, stylesheets or other SVG documents can be constructed by following the used pattern.

As seen above, not only the security and privacy of the user itself but also of data from other domains need to be considered.

The Resource Restricted flag

An SVG file that is loaded as a root document has different security/privacy concerns than an SVG file that is loaded as some kind of resource like image or resource pool for shapes, gradients, patterns, colors, filters, clipPaths or masks.

From now on, every SVG document MUST have a Resource Restricted flag that determines the used security model. Every fetch of an SVG document with restrictions enabled (restrictions defined later in this document) MUST set this flag to restricted. If the flag is not set, it defaults to unrestricted. User agents MUST take this flag into account and follow the restrictions defined in this document.

This document will provide guidance when a fetch SHOULD set the Resource Restricted.

Fetching models for SVG files

The Resource Restricted flag currently defines two different fetching models for SVG documents. The following two sections describe the two fetching strategies.

Unrestricted fetching of SVG documents

Restricted fetching of SVG documents

• Attributes that potentially fetch
  • xlink:href
  • href

Guidance for setting the Resource Restricted flag

...

Other resources and documents

• Features/SVG-as-image (is getting integrated into this document)