+++ This bug was initially created as a clone of Bug #686581 +++ Bug 686581 disabled native theming in SVG images based on the idea that this would prevent data leakage. This is ineffective; see bug 686581 comment 15, bug 686581 comment 16, bug 686581 comment 17. I have a hard time imagining a use case for a button in an SVG image, but assuming there is one, the lack of native theming will be surprising and seen as a Gecko quirk.
I think Dao is saying that using getComputedStyle with CSS system colors an attacker could figure out what the system colors are and guess the theme that way. That's probably true, but it's not the same as exposing system theme pixel data and I see no need to open this wider information channel.
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #2) > That's probably true, but it's not the same as exposing system theme pixel > data and I see no need to open this wider information channel. How exactly is the "system theme pixel data" interesting, other than for identifying the theme?
It more precisely identifies the theme, but maybe it'll be useful for other things. It's a new information leak and there's no compelling reason to open it.
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #5) > It more precisely identifies the theme, but maybe it'll be useful for other > things. This assumes that themes rendering controls differently share the same system colors. I think that's very rarely the case, if at all. > It's a new information leak and there's no compelling reason to open it. That it's new appears to be largely baseless claim (as per above). The reason to keep this "leak" open is that when people put HTML elements in foreignObject, they're going to expect them to look like they normally would.
We've had no reports in 2 years so I guess nobody noticed.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.