[whatwg] Fetch SVG images with No CORS tainted cross-origin

Ian Hickson ian at hixie.ch
Tue Nov 26 14:50:48 PST 2013


On Fri, 13 Sep 2013, Dirk Schulze wrote:
> 
> If I understand HTML <img> fetching and the fetch spec right. The 
> default behavior on image fetching is No CORS with the mode tainted 
> cross-origin.
> 
> For the example: <img src="image.svg">
> 
> and image.svg:
> 
> <svg>
> 	<image xlink:href="http://otherdomain.com/image.svg">
> </svg>
> 
> In this case the image.svg would be fetched with basic fetch and tainted 
> cross-origin.

Not sure what you mean by "basic" fetch, but more or less, sure.


> But the image inside this image would also be loaded as basic fetch 
> tainted cross origin. Right?

That's up to SVG.


> To summarize. We have two kind of possibilities of fetching in SVG:
> 
> SVG with "single security origin": The SVG is not allowed to fetch any 
> external resources. References in the same document and dataURLs, blobs 
> are allowed.
>
> SVG "as document": Allowed to fetch resources with No CORS - But: 
> possibly CORS enabled depending on the referencing element (<object>, 
> <embed> or <iframe>).
> 
> Would it be possible to define it that way? If the former named 
> elements, then use the fetching mechanism defined by these elements. 
> Otherwise use "single security origin"? Could Fetch define "single 
> security origin"?

Anne answered the Fetch side of this; on the HTML side, I'm happy to 
invoke a hook if SVG provides one.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list