[whatwg] Fetch SVG images with No CORS tainted cross-origin

Anne van Kesteren annevk at annevk.nl
Wed Nov 27 06:08:56 PST 2013

On Wed, Nov 27, 2013 at 1:13 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> Note that Gecko has serious security concerns with allowing subresource
> loads like this in SVG loaded via <img>; we currently disallow them
> altogether due to those concerns.  Such SVG documents can link to things
> internal to themselves and to data: URIs, but not to anything requiring
> network access.
> SVG loaded via <object> is a different story, of course.

It seems weird to say "Gecko has serious security concerns". Either
there's a factual security issue or not, right? And as far as I can
tell the issue is that if someone allows uploading SVG images, people
could include tracker images in those SVG images. And therefore the
SVG specification should simply outlaw that. Note that even then those
SVG images cannot be hosted same-origin unless you run them through
some kind of whitelist-based filter.


More information about the whatwg mailing list