Closed Bug 689224 Opened 9 years ago Closed 7 years ago

Revert bug 686581 since it's ineffective and will only cause confusion

Categories

(Core :: SVG, defect)

defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: dao, Unassigned)

References

Details

+++ This bug was initially created as a clone of Bug #686581 +++

Bug 686581 disabled native theming in SVG images based on the idea that this would prevent data leakage. This is ineffective; see bug 686581 comment 15, bug 686581 comment 16, bug 686581 comment 17. I have a hard time imagining a use case for a button in an SVG image, but assuming there is one, the lack of native theming will be surprising and seen as a Gecko quirk.
I'm not sure what you mean by "You need neither canvas nor SVG for it, just CSS and getComputedStyle."

javascript is disabled in SVG images so you can't call getComputedStyle there and to the container the image is presented as a bitmap so you can't query its DOM to find out style information.
I think Dao is saying that using getComputedStyle with CSS system colors an attacker could figure out what the system colors are and guess the theme that way.

That's probably true, but it's not the same as exposing system theme pixel data and I see no need to open this wider information channel.
Think HTML, CSS, Javascript. No SVG involved whatsoever.
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #2)
> That's probably true, but it's not the same as exposing system theme pixel
> data and I see no need to open this wider information channel.

How exactly is the "system theme pixel data" interesting, other than for identifying the theme?
It more precisely identifies the theme, but maybe it'll be useful for other things.

It's a new information leak and there's no compelling reason to open it.
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #5)
> It more precisely identifies the theme, but maybe it'll be useful for other
> things.

This assumes that themes rendering controls differently share the same system colors. I think that's very rarely the case, if at all.

> It's a new information leak and there's no compelling reason to open it.

That it's new appears to be largely baseless claim (as per above). The reason to keep this "leak" open is that when people put HTML elements in foreignObject, they're going to expect them to look like they normally would.
We've had no reports in 2 years so I guess nobody noticed.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
See Also: → 1470146
You need to log in before you can comment on or make changes to this bug.