[whatwg] Fetch SVG images with No CORS tainted cross-origin
Anne van Kesteren
annevk at annevk.nl
Fri Sep 13 01:43:25 PDT 2013
On Fri, Sep 13, 2013 at 9:27 AM, Dirk Schulze <dschulze at adobe.com> wrote:
> So, I wonder how that behavior could be described.
I think you'd have a mode switch and maybe a wrapper for Fetch that
only calls it for data and blob URLs. It seems like you don't really
want to invoke Fetch at all for SVG as image. Do scripts even execute
in that context? How do you get blob URLs?
I suppose we could have a mode for that in Fetch too, but it seems
really SVG specific so I'm not sure that's warranted.
> SVG with "single security origin": The SVG is not allowed to fetch any external resources. References in the same document and dataURLs, blobs are allowed.
> SVG "as document": Allowed to fetch resources with No CORS - But: possibly CORS enabled depending on the referencing element (<object>, <embed> or <iframe>).
> Would it be possible to define it that way? If the former named elements, then use the fetching mechanism defined by these elements. Otherwise use "single security origin"? Could Fetch define "single security origin"?
This sentence doesn't make sense. At least the "otherwise" clause in
it. I'm not sure "single security origin" makes sense either as I
think you don't want to do any fetching whatsoever. If something does
a fetch, you want to return network error immediately and don't even
attempt to make a connection as that could leak information. So SVG
resources should have a "locked down flag" and when it's set "SVG
fetch" or whatever you end up calling the wrapper will return "network
error" rather than invoking "fetch" unless the URL's scheme is about,
blob, or data I suppose.
More information about the whatwg