[whatwg] Fetch SVG images with No CORS tainted cross-origin
Ian Hickson
ian at hixie.ch
Tue Nov 26 14:50:48 PST 2013
On Fri, 13 Sep 2013, Dirk Schulze wrote:
>
> If I understand HTML <img> fetching and the fetch spec right. The
> default behavior on image fetching is No CORS with the mode tainted
> cross-origin.
>
> For the example: <img src="image.svg">
>
> and image.svg:
>
> <svg>
> <image xlink:href="http://otherdomain.com/image.svg">
> </svg>
>
> In this case the image.svg would be fetched with basic fetch and tainted
> cross-origin.
Not sure what you mean by "basic" fetch, but more or less, sure.
> But the image inside this image would also be loaded as basic fetch
> tainted cross origin. Right?
That's up to SVG.
> To summarize. We have two kind of possibilities of fetching in SVG:
>
> SVG with "single security origin": The SVG is not allowed to fetch any
> external resources. References in the same document and dataURLs, blobs
> are allowed.
>
> SVG "as document": Allowed to fetch resources with No CORS - But:
> possibly CORS enabled depending on the referencing element (<object>,
> <embed> or <iframe>).
>
> Would it be possible to define it that way? If the former named
> elements, then use the fetching mechanism defined by these elements.
> Otherwise use "single security origin"? Could Fetch define "single
> security origin"?
Anne answered the Fetch side of this; on the HTML side, I'm happy to
invoke a hook if SVG provides one.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list