[whatwg] Fetch SVG images with No CORS tainted cross-origin

Boris Zbarsky bzbarsky at MIT.EDU
Tue Nov 26 17:13:51 PST 2013


On 11/26/13 5:50 PM, Ian Hickson wrote:
>> But the image inside this image would also be loaded as basic fetch
>> tainted cross origin. Right?
>
> That's up to SVG.

Note that Gecko has serious security concerns with allowing subresource 
loads like this in SVG loaded via <img>; we currently disallow them 
altogether due to those concerns.  Such SVG documents can link to things 
internal to themselves and to data: URIs, but not to anything requiring 
network access.

SVG loaded via <object> is a different story, of course.

-Boris



More information about the whatwg mailing list