SVG security review: Hookup of SVG events

RESOLVED FIXED

Status

()

Core
SVG
RESOLVED FIXED
13 years ago
12 years ago

People

(Reporter: Jesse Ruderman, Assigned: jwatt)

Tracking

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

13 years ago
T Rowley mentioned that this is part of the SVG attack surface and could do with
a security review:

  * hookup of svg events - nsSVGSVGElement.cpp

http://lxr.mozilla.org/mozilla/source/content/svg/content/src/nsSVGSVGElement.cpp
(Reporter)

Updated

13 years ago
Blocks: 306101
(Reporter)

Comment 1

13 years ago
jwatt tested some stuff: making sure you can't make SVG events bubble out of
iframes, making sure you can't inject synthesized events into other documents,
etc.  He hasn't found any problems there.

jwatt said he was careful in his use of the isTrusted flag, and jst
super-reviewed the code, so that aspect should be good.

Shaver, did you have other concerns about SVG events, or can this be marked as
fixed?
Assignee: general → jonathan.watt
Blocks: 302103
(Assignee)

Comment 2

13 years ago
The bug for implementing SVG events was bug 302103.

I put up a couple of pages on two of my sites to do some cross-domain testing. See
http://jwatt.org/svg/tests/svg-events-security.html
(Assignee)

Comment 3

12 years ago
As the implementor of SVG events, I'm not sure I'm the appropriate person to do this review. However, I believe the code uses the existing event framework correctly to ensure it doesn't constitute a security hole. jst reviewed so it seems he believes so too. If anything, the SVG events should be less likely to be a source of a security hole than the pre-existing events since the apps don't listen for or perform a default action for SVG events. SVG events are purely a notification to content about things that have *already* happened (ie non-cancelable). Of course there's the potential that some extensions may listen for them and do inappropriate things, but that's no different to any of the other events. I consider this bug to be "fixed", so marking it so. If anyone disagrees please elaborate on what actions you still want me to take or reopen and assign to yourself.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.