SVG and Noscript

[rees65]

Hi,

I've looking at SVG's. Specifically for non-JavaScript interactivity.
I was surprised to see a native mouseover event blocked.
It works fine if permission is granted to the parent site.

eg
http://www.petercollingridge.co.uk/site ... seover.svg

I'm hoping someone can tell more about this, feeling that it's security overkill - is mouseover really dangerous?
There isn't much on SVG in the forums.

Thanks

[Alan Baxter]

The url of your example got mangled. On this forum you sometimes need to enclose them with to prevent that from happening. I found one that seems to demonstrate the problem you describe.
http://www.petercollingridge.co.uk/site ... seover.svg

Even if I uncheck all the restrictions in NoScripts > Embeddings, mousing over the blue square doesn't change its opacity unless I allow scripting from petercollingridge.co.uk. I don't know why that is. A bug in NoScript? The NoScript icon indicates with its white S that scripting isn't used on that page, so I don't know why it needs to be allowed.

[dhouwn]

JS is JS, I don't get how this behavior would be unexpected.

SMIL on the other hand, works fine: http://upload.wikimedia.org/wikipedia/c ... imated.svg

[Alan Baxter]

JS is JS, I don't get how this behavior would be unexpected.

It's unexpected because that page doesn't use JavaScript. The NoScript icon and my viewing of the source for that page seem to agree that no JavaScript is being used. Could you be more specific about where you see JavaScript?

[Tom T.]

\he NoScript icon .... no JavaScript is being used. Could you be more specific about where you see JavaScript?

Code: Select all

-http://www.petercollingridge.co.uk
-petercollingridge.co.uk

(disallowed scripting, as shown by - sign on copy/paste of menu) NS icon red = demo fails.

Code: Select all

+http://www.petercollingridge.co.uk

(TA'd, as per + sign on copy/paste of menu) NS icon clear, all scripting allowed = demo succeeds.

Go to the home page: http//www.petercollingridge.co.uk/
and allowing or not allowing that site changes the page's look.

I don't have time at the moment to look through all 15 scripts, totalling > 130 Kb, but note the prevalence of "sites/all" in the titles as shown by JSView:

Code: Select all

http://www.petercollingridge.co.uk/misc/jquery.js?f
http://www.petercollingridge.co.uk/misc/drupal.js?f
http://www.petercollingridge.co.uk/sites/default/modules/lightbox2/js/auto_image_handling.js?f
http://www.petercollingridge.co.uk/sites/default/modules/lightbox2/js/lightbox.js?f
http://www.petercollingridge.co.uk/sites/default/modules/mollom/mollom.js?f
http://www.petercollingridge.co.uk/sites/all/libraries/syntaxhighlighter/scripts/shCore.js?f
http://www.petercollingridge.co.uk/sites/all/libraries/syntaxhighlighter/scripts/shBrushJava.js?f
http://www.petercollingridge.co.uk/sites/all/libraries/syntaxhighlighter/scripts/shBrushPerl.js?f
http://www.petercollingridge.co.uk/sites/all/libraries/syntaxhighlighter/scripts/shBrushPlain.js?f
http://www.petercollingridge.co.uk/sites/all/libraries/syntaxhighlighter/scripts/shBrushPython.js?f
http://www.petercollingridge.co.uk/sites/all/libraries/syntaxhighlighter/scripts/shBrushSql.js?f
http://www.petercollingridge.co.uk/sites/all/libraries/syntaxhighlighter/scripts/shBrushXml.js?f
http://www.petercollingridge.co.uk/sites/default/modules/syntaxhighlighter/syntaxhighlighter.min.js?f
http://www.petercollingridge.co.uk/sites/default/themes/skyblue/javascript/site.js?f

Clearly, sub-pages inside his domain run the scripts of the main site, even though no direct call is seen in the source page *of the demo*.

I think the icon is white, vs. blue/white, because *that document* does not load script. But it's part of a URL for which all scripts apply, which is why I could toggle the demo by toggling script permission of the main site.

Without the home site's script, the onmouseover attribute of the blue square is ineffective.

[therube]

If you manually disable JavaScript, the OP's link also fails.

> sub-pages inside his domain run the scripts of the main site, even though no direct call is seen in the source page *of the demo*

How?
(Not that I'm saying it isn't so, just saying I don't see how. And not that I would know one way or the other except that I see nothing that would indicate that.)

WAG...

Perhaps XML vs HTTP?
Perhaps the "page header" layout? (Substituting one for another broke things.)
And then if not the header, then the body itself, not kosher in some way?

[Tom T.]

How?

WAG...

Perhaps the "page header" layout? (Substituting one for another broke things.)

My SWAGs:

1)Since the URL of the demo page contains all, or so much, of the upper-level divisions, perhaps the base 2LD calls scripts as it is parsed.
I'll bet that every other page within the base 2LD runs all of those "sites/all" scripts - or just, all scripts.

2) Yeah, the XML.

Code: Select all

xmlns:xlink="http://www.w3.org/1999/xlink"

http://www.w3.org/TR/xlink/

This specification defines the XML Linking Language (XLink), which allows elements to be inserted into XML documents in order to create and describe links between resources. It uses XML syntax to create structures that can describe links similar to the simple unidirectional hyperlinks of today's HTML, as well as more sophisticated links

Seems like that would do the trick?

[Alan Baxter]

I'm not talking about the main site, which does use scripting. I'm talking about the link I posted.
http://www.petercollingridge.co.uk/site ... seover.svg

Viewing the source of that link, I see no scripts. NoScript agrees: the NoScript icon displays a white S, which means that there are no scripts on that page. Frankly, I don't see any indication that the page "knows" anything about the other pages on the site, and the fact that they use scripts is irrelevant here.

[Alan Baxter]

I think WAGs won't tell us what's going on. Try putting that page on a site that doesn't use scripting. I wouldn't be surprised if you get the same result. This would be a really good time for Giorgio to explain why he is requiring scripts to be allowed even if all the restrictions in NoScript > Embeddings are unchecked.

[Alan Baxter]

If you manually disable JavaScript, the OP's link also fails.

Confirmed. I should have tried that sooner. Doesn't appear to be a NoScript issue after all.

[Tom T.]

I'm not talking about the main site, which does use scripting. I'm talking about the link I posted.
http://www.petercollingridge.co.uk/site ... seover.svg

Yes, I know that. I can read. The presence of a red NS Icon at the demo indicated that something is being blocked. Can you read my previous post, and read the color-coding on the NS icon when the root's scripts are blocked? (don't mean that to be as snide as it sounded, sorry, but I thought I was clear on which site the demo was and how toggling the NS permissions, thus toggling the color of the NS logo, toggled the effectiveness of the demo. )

The site in question wasn't even a subdomain, but rather, a subfolder of the root.

See this topic for the opposite side of the coin: Allowing such subfolders while prohibiting the root. It required a regexp in ABE. Clearly, all subfolders are running the root's script, which is why that poster needed ABE to block all script except a specific subfolder. It stands to reason that one would expect the root's scripts to run at subfolders, else that other poster couldn't have succeeded in allowing one while blocking others. If the subfolder wouldn't run the root's scripts by default, s/he has nothing to work with, in ABE or elsewhere.

Viewing the source of that link, I see no scripts. NoScript agrees: the NoScript icon displays a white S, which means that there are no scripts on that page.

As said previously, disallow the root's script, and note that the NS icon is red AT THE DEMO -- with that being the only tab/window open from that root.
Clearly, something is being blocked -- *and the demo fails*.

Frankly, I don't see any indication that the page "knows" anything about the other pages on the site, and the fact that they use scripts is irrelevant here.

Apparently, not so.

Did you read the quote about the capabilities of xlink XML?

This would be a really good time for Giorgio to explain why he is requiring scripts to be allowed even if all the restrictions in NoScript > Embeddings are unchecked.

I figured that at some point, Giorgio would chime in and tell us the exact mechanism by which the demo page calls the root's script, without an obvious call in the source code.

We were trying to figure that out ourselves. WAG and SWAG are colloquialisms of modesty, much as "IMHO". I did not make a wild guess; I examined the evidence, *researched the xlink portion of xml*, and made what I thought were *very* educated hypotheses (not guesses), which Giorgio or someone else who knows can confirm/deny.

This is a method of learning. It's how I learned much of what I know in IT and in the many other fields in which Your Humble Polymathic Servant has some degree of knowledge. "Most of my learning occurred after graduation."

We could have just asked Giorgio in the first place, but
a) Hate to waste his time if we can nail it ourselves, or among the community, and
b) Getting one's fingernails dirty, digging around under the hood, often gives more complete and longer-retained knowledge than just asking someone. WFM, YMMV.

(trimming C:\WINDOWS from 4+ GB to 180 MB over two years was quite a learning experience, as it necessarily involved some dissection of the OS and its functions.)

Cheers.


ETA: Your most recent message was posted while I was composing this long one.

[Alan Baxter]

Try putting that page on a site that doesn't use JavaScript on any other pages. I wouldn't be surprised if you get the same result. If you're able to do that research, let us know where it is so we can see if it gives the same result as the link I posted.

[therube]

> The site in question wasn't even a subdomain, but rather, a subfolder of the root.

Ah. Now I understand where you're coming from. And I think we may be getting somewhere too.

> WAG and SWAG are colloquialisms of modesty, much as "IMHO".

Nope. In my case, just what it said. Throw it against the wall & see if anything sticks. And if it doesn't, so be it.

[GµårÐïåñ]

You guys are aware that the SVG format in general is not secure (meaning can be "weaponized" for lack of a better term) and has inner workings that are unrelated or even often uncontrolled by the user end (including some level of "scripting" for lack of a better word that can't be controlled externally)? Other than what renders it?

Hence an attack vector in itself. Although mostly done through JavaScript at the time, SMIL is a very real vector, although somewhat limited. Just thought I add that to the discussion, take away from it what you will. ATM, NS is doing what it should, block the JS but not the SMIL, not sure what the confusion is about? You can still use SMIL to get the animation without needing JS.

[Tom T.]

... ATM, NS is doing what it should, block the JS but not the SMIL, not sure what the confusion is about? You can still use SMIL to get the animation without needing JS.

The confusion is that blocking the JS defeats the demo. ... SMIL or no SMIL.

I was trying to do what Alan suggested -- put that page on a site without that JS, namely, my own little page @ my ISP, but I haven't updated it in ages, and I can't even type or paste in the "edit" block. Their tech support is not open at this hour, so if I can get it working another time, I will indeed try hosting that exact page.