New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 145915 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security/Privacy: <img>-embedded SVG will load external content referenced by CSS @import @font-face

Project Member Reported by groebert@google.com, Aug 31 2012

Issue description

VULNERABILITY DETAILS

If SVG are embedded using an <img> tag (like in GMail multipart mime messages), they should not load external content. However, CSS embedded in a SVG will load @import and @font-face URLs.

VERSION

Chrome Version: Version 22.0.1229.14 beta
Operating System: Linux

REPRODUCTION CASE

Open attached file in Chrome. Don't rely on Chrome's network inspector; use tcpdump to check for the @font-face and @import request.
 
leaks.html
604 bytes View Download

Comment 1 by groebert@google.com, Aug 31 2012

Probably @color-profile is affected too, but afaik, it's not implemented.
Cc: abarth@chromium.org
Adam, can you be persuaded to investigate this one given your knowledge of the area?

Comment 3 by tsepez@chromium.org, Aug 31 2012

Owner: abarth@chromium.org

Comment 4 by tsepez@chromium.org, Aug 31 2012

Status: Assigned
Confirmed that I do see the GET requests going out using wireshark on linux 64.
Labels: -Pri-0 -Area-Undefined Pri-2 Area-WebKit
Sure.
Labels: SecImpacts-Stable SecImpacts-Beta SecSeverity-Low
@abarth: our lower-severity bug list is a bit depressing / out of control at the moment :(
If you could find 30 mins one day to squash one or two easier ones, such as this one, it'd be awesomely appreciated.

Comment 8 by abarth@chromium.org, Sep 21 2012

It's on my todo list, but has trouble bubbling up to the top.  I'll see what I can do next week.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Mstone-23 Merge-Approved
Status: FixUnreleased
Adam was superstar:
Committed r129585: <http://trac.webkit.org/changeset/129585>
Labels: -Merge-Approved Merge-Merged
M23: http://trac.webkit.org/changeset/129693
Status: Fixed
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Low -Mstone-23 Cr-Content Security-Severity-Low Security-Impact-Stable Security-Impact-Beta M-23 Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 18 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 19 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment