X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/08485ec444cf81015e39c52e6ce8e7b933a036f6..3ae8a75101c88712517294b4ebbb3e4bc68d446d:/doc/todo/finer_control_over___60__object___47____62__s.mdwn diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn index ac4b55568..50c4d43bf 100644 --- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn +++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn @@ -27,13 +27,61 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by [[wishlist]] -> SVG can contain embedded javascript. The spec that you link to contains +> SVG can contain embedded javascript. + +>> Indeed. + +>> So, a more general tool (`XML::Scrubber`?) will be necessary to +>> refine both [XHTML][] and SVG. + +>> … And to leave [MathML][] as is (?.) + +>> — [[Ivan_Shmakov]], 2010-03-12Z. + +> The spec that you link to contains > examples of objects that contain python scripts, Microsoft OLE > objects, and Java. And then there's flash. I don't think ikiwiki can > assume all the possibilities are handled securely, particularly WRT XSS > attacks. > --[[Joey]] +>> I've scanned over all the `object` examples in the specification and +>> all of those that hold references to code (as opposed to data) have a +>> distinguishing `classid` attribute. + +>> While I won't assert that it's impossible to reference code with +>> `data` (and, thanks to `text/xhtml+xml` and `image/svg+xml`, it is +>> *not* impossible), throwing away any of the “insecure” +>> attributes listed above together with limiting the possible URI's +>> (i. e., only *local* and certain `data:` ones for `data` and +>> `usemap`) should make `object` almost as harmless as, say, `img`. + +>>> But with local data, one could not embed youtube videos, which surely +>>> is the most obvious use case? + +>>>> Allowing a “remote” object to render on one's page is a + security issue by itself. + Though, of course, having an explicit whitelist of URI's may make + this issue more tolerable. + — [[Ivan_Shmakov]], 2010-03-12Z. + +>>> Note that youtube embedding uses an +>>> object element with no classid. The swf file is provided via an +>>> enclosed param element. --[[Joey]] + +>>>> I've just checked a random video on YouTube and I see that the + `.swf` file is provided via an enclosed `embed` element. Whether + to allow those or not is a different issue. + — [[Ivan_Shmakov]], 2010-03-12Z. + +>> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being +>> restricted in such a way.) + +>> Of the remaining issues I could only think of recursive +>> `object` — the one that references its container document. + +>> — [[Ivan_Shmakov]], 2010-03-12Z. + ## See also * [Objects, Images, and Applets in HTML documents][objects-html] @@ -43,6 +91,8 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by * [Uniform Resource Identifier — the free encyclopedia][URI] [HTML::Scrubber]: http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm +[MathML]: http://en.wikipedia.org/wiki/MathML [objects-html]: http://www.w3.org/TR/1999/REC-html401-19991224/struct/objects.html [RFC 2397]: http://tools.ietf.org/html/rfc2397 [URI]: http://en.wikipedia.org/wiki/Uniform_Resource_Identifier +[XHTML]: http://en.wikipedia.org/wiki/XHTML