Firefox3.1/SMIL Security Review: Difference between revisions

Overview

Describe the goals and objectives of the feature here.

Background links

• Bug 216462: Main SMIL bug
  • Latest patch
• SVG 1.1 Spec's Animation Section
• SMIL Animation Spec
• Brian Birtles' writeup

Security and Privacy

• What security issues do you address in your project?
  • None.

• Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
  • No. There are no configuration files, and the only planned about:config pref is just an enable/disable flag. (see pref description below)

• Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
  • Security Assumptions:
    • SVG documents aren't allowed to draw outside of their boundaries, or over Firefox chrome.
  • Potential attack points:
    • If embedded SVG were allowed to draw outside of its boundaries, it could use SMIL to cover bits of the host document with its own SVG elements.
    • Integer overflows in SMIL attributes, or in animated SVG attributes, or in other attributes that depend on the animated attributes (e.g. heights/widths during a skew animated with animateTransform )

Exported APIs

• Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
  • nsIDOMElementTimeControl.idl
    • boolean beginElement()
    • boolean beginElementAt(in float offset)
    • boolean endElement()
    • boolean endElementAt(in float offset)
  • nsIDOMSVGAnimationElement.idl
    • float getStartTime()
    • float getCurrentTime()
    • float getSimpleDuration()
  • nsIDOMSVGAnimateElement.idl, nsIDOMSVGAnimateTransformElement.idl, nsIDOMSVGSetElement.idl
    • Subclass nsIDOMSVGAnimationElement; don't add any functions.

• Does it interoperate with a web service? How will it do so?
  • No.

• Explain the significant file formats, names, syntax, and semantics.
  • Main file format: SVG
  • Sample animation tag usage:

<rect x="15" y="200" width="200" height="200" fill="blue">
   <animate attributeName="y" from="100" to="200" begin="0s" dur="2s" fill="freeze"/>
</rect>

 <rect x="15" y="200" width="200" height="200" fill="blue">
   <animateTransform attributeName="transform" type="rotate"
                     from="-30" to="0"
                     begin="1s" dur="5s" fill="freeze"/> 
 </rect>

<circle cx="0" cy="0" stroke="black" r=".05" fill="orange" stroke-width="0.005">
   <animate attributeName="cy" dur="3s" values="0; 1"
            calcMode="spline" keySplines=".5 0 .5 1"
            repeatDur="indefinite" />
   <animate attributeName="cx" dur="3s" values="0; 1"
            repeatDur="indefinite" />
</circle>

• Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
  • They're documented in the SVG & SMIL Animation specs.
  • We could probably use up-to-date documentation on MDC detailing what we support.

• Does it change any existing interfaces?
  • It adds implementations for these methods on nsIDOMSVGSVGElement.idl, which previously all just returned NS_NOTYETIMPLEMENTED:
    • void pauseAnimations()
    • void unpauseAnimations()
    • boolean animationsPaused()
    • float getCurrentTime()
    • void setCurrentTime(in float seconds)

Module interactions

• What other modules are used (REQUIRES in the makefile, interfaces)
  • gfx, layout, content, dom

Data

• What data is read or parsed by this feature
  • The values of the SVG <animate>, <set>, and <animateTransform> elements' attributes. These consist of semicolon-separated lists of values, time values, ...
  • The SMIL patch adds the class "nsSMILParserUtils," which takes care of its parsing needs.

• What is the output of this feature
  • Animations (animated attributes) in SVG documents that would otherwise be static.

• What storage formats are used
  • nsSMILValue stores the actual animated attribute values
  • Other containers: nsTArray, nsCOMArray

Reliability

• What failure modes or decision points are presented to the user?
  • None.

• Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
  • N/A -- no files or locks used.

Configuration

• Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
  • Yes: I'm planning on using an about:config pref to allow the user to enable/disable SMIL. (Either using the existing image.animation_mode pref, or adding a smil-specific pref)

• Are there build options for developers? [#ifdefs, ac_add_options, etc.]
  • Yes: "ac_add_options --enable-smil". (The current patch defaults to having SMIL support disabled.)

• What ranges for the tunable are appropriate? How are they determined?
  • Enabled / Disabled
  • One possible additional about:config value: I had a request in IRC for the about:config pref to have a value that would show animations *only* in standalone SVG but not in SVG-embedded-in-HTML, for performance reasons. Haven't given this much thought yet, and I'm not sure how big of a use case it is.
    • This additional value would mean we'd need the about:config pref to be SMIL-specific (not the shared image.animations_enabled one), and would need to be string-valued rather than bool-valued.

• What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
  • N/A

Relationships to other projects

• Are there related projects in the community?
  • Opera and WebKit both support subsets of SMIL. FakeSMIL is a Greasemonkey script that uses Javascript to add partial SMIL support to Firefox.

• If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • This proposal is parallel to their work, adding built-in SMIL support to Firefox.

• Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?
  • No & N/A -- I'm not updating, copying or changing functional areas maintained by other groups.

Review comments