Re: SVGT 1.2: OriginalEvent underspecified; behavior could be a security risk

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: SVGT 1.2: OriginalEvent underspecified; behavior could be a security risk

Bjoern Hoehrmann

* Maciej Stachowiak wrote:

>SECURITY ISSUES
>
>Furthermore, it seems to me that cross-inclusion bubbling of events  
>could be a security risk, when used across domains. At least reading  
>this naiively, you could pull off exploits like this:
>
>* Include a web page from a different web server in a full-window  
>foreignObject and install a keyboard/mouse sniffer on it to see what  
>the user is typing into a seemingly other site.
>
>* Get access to elements of the foreign document via  
>event.originalEvent.target and so forth, and then use DOM APIs to  
>inject content into the foreign document.
>
>Is it really necessary to provide cross-domain bubbling like this? It  
>seems like the right way to deal with this is to provide  
>contentDocument attributes on any element that can attach foreign  
>content, subject to the typical security restrictions, then you can  
>attach any event handlers you want, whether capturing or bubbling or  
>what have you.
>
>Therefore I recommend removing this feature and instead providing  
>contentDocument attributes for foreignObject and animation (or  
>skipping over cross-document inclusion issues for now and let the CDF  
>WG handle it).

Note that the CDF Working Group already handled this and the relevant
Working Draft http://www.w3.org/TR/CDR/#event-propagation is in Last
Call aswell. Neither feature as currently specified makes much sense
to me, but it seems most of the issues you raise apply to the CDF draft
aswell; I'd appreciate if you could have a look at the "CDR" draft and
provide feedback to the CDF WG.
--
Björn Höhrmann · mailto:[hidden email] · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

Reply | Threaded
Open this post in threaded view
|

Re: SVGT 1.2: OriginalEvent underspecified; behavior could be a security risk

Maciej Stachowiak


On Dec 30, 2005, at 2:12 AM, Bjoern Hoehrmann wrote:

>
> Note that the CDF Working Group already handled this and the relevant
> Working Draft http://www.w3.org/TR/CDR/#event-propagation is in Last
> Call aswell. Neither feature as currently specified makes much sense
> to me, but it seems most of the issues you raise apply to the CDF  
> draft
> aswell; I'd appreciate if you could have a look at the "CDR" draft and
> provide feedback to the CDF WG.

I have pulled up the CDR spec and I will comment on this and othe  
rissues. Thanks for the pointer.

REgards,
Maciej