[whatwg] Fetch SVG images with No CORS tainted cross-origin

Dirk Schulze dschulze at adobe.com
Mon Dec 2 02:35:31 PST 2013


The document “SVG Integration Module Level 1” [1] is going to define the specifics of fetching in SVG. I hope to find the time to add actual content in January and would be happy for reviews after that.

Greetings,
Dirk

[1] https://dvcs.w3.org/hg/svg2/raw-file/7a902f4a33f6/specs/integration/Overview.html
 
On Nov 27, 2013, at 5:39 PM, Boris Zbarsky <bzbarsky at MIT.EDU> wrote:

> On 11/27/13 9:08 AM, Anne van Kesteren wrote:
>> It seems weird to say "Gecko has serious security concerns". Either
>> there's a factual security issue or not, right?
> 
> In theory, yes.
> 
> In practice, opinions seem to differ, not least because one person's 
> security/privacy issue is another's business model.
> 
> In this particular case, last I checked, other UAs are more permissive 
> than Gecko, and seem to not care about the issue we care about in this 
> situation.
> 
>> And as far as I can tell the issue is that if someone allows uploading SVG images, people
>> could include tracker images in those SVG images.
> 
> That's correct.
> 
>> And therefore the SVG specification should simply outlaw that.
> 
> I'm all for that, obviously.  ;)
> 
>> Note that even then those SVG images cannot be hosted same-origin unless you run them through
>> some kind of whitelist-based filter.
> 
> Indeed.
> 
> -Boris
> 



More information about the whatwg mailing list