[whatwg] Fetch SVG images with No CORS tainted cross-origin
Boris Zbarsky
bzbarsky at MIT.EDU
Wed Nov 27 08:39:23 PST 2013
On 11/27/13 9:08 AM, Anne van Kesteren wrote:
> It seems weird to say "Gecko has serious security concerns". Either
> there's a factual security issue or not, right?
In theory, yes.
In practice, opinions seem to differ, not least because one person's
security/privacy issue is another's business model.
In this particular case, last I checked, other UAs are more permissive
than Gecko, and seem to not care about the issue we care about in this
situation.
> And as far as I can tell the issue is that if someone allows uploading SVG images, people
> could include tracker images in those SVG images.
That's correct.
> And therefore the SVG specification should simply outlaw that.
I'm all for that, obviously. ;)
> Note that even then those SVG images cannot be hosted same-origin unless you run them through
> some kind of whitelist-based filter.
Indeed.
-Boris
More information about the whatwg
mailing list