canmove, Confirmed users
639
edits
Firefox3.1/External SVG References Security Review: Difference between revisions
Firefox3.1/External SVG References Security Review (view source)
Revision as of 19:57, 24 September 2008
, 24 September 2008→Review comments
(New page: == Overview == The goal is to allow cross-document references in SVG to work. In particular, it should be possible to reference paint servers, masks, and so forth across documents, as wel...) |
|||
| Line 18: | Line 18: | ||
== Review comments == | == Review comments == | ||
* For now (3.1) we will restrict external SVG to same-origin | |||
* If we expand this in the future we will use Access-Control | |||
** which site would we send in a complex tree? Doc A could reference svg docs B and C, both of which include svg from X. We only load one copy of X, which Origin: do we send? | |||
* script must be disabled in these external documents. | |||
* don't ever "fix" these to have a docshell -- the lack of one is the implicit basis for the security here. With a docshell we'd have to do a lot more explicit security checks. | |||
* if a parent document clones nodes from the external document "onfoo" event-handling attributes get cloned too, effectively importing scripts. How do we stop this? Or at least force the importing document to explicitly request this behavior? | |||
* <script> nodes could be imported by cloning, perhaps accidentally if the parent doc is blindly importing a subtree. In normal DOM cloning the "hasExecuted" flag would be set and cloned, but since we're cloning from a script-less context that's probably not the case here and the script will execute on insertion. | |||