[whatwg] Fetch SVG images with No CORS tainted cross-origin
Boris Zbarsky
bzbarsky at MIT.EDU
Tue Nov 26 17:13:51 PST 2013
On 11/26/13 5:50 PM, Ian Hickson wrote:
>> But the image inside this image would also be loaded as basic fetch
>> tainted cross origin. Right?
>
> That's up to SVG.
Note that Gecko has serious security concerns with allowing subresource
loads like this in SVG loaded via <img>; we currently disallow them
altogether due to those concerns. Such SVG documents can link to things
internal to themselves and to data: URIs, but not to anything requiring
network access.
SVG loaded via <object> is a different story, of course.
-Boris
More information about the whatwg
mailing list