[whatwg] Fetch SVG images with No CORS tainted cross-origin

Anne van Kesteren annevk at annevk.nl
Fri Sep 13 04:15:22 PDT 2013


On Fri, Sep 13, 2013 at 10:52 AM, Dirk Schulze <dschulze at adobe.com> wrote:
> If Fetch is not just fetching external (as not in the current document) then we still need it for SVG. References within the same document must still work.

Fragment identifiers are to be handled by SVG. Again, your "SVG fetch"
wrapper could let through certain URLs and not others, but I'm not
sure if the only difference is a fragment identifier if that would
even go through Fetch. I kinda doubt it since Fetch is async and
fragment handling is generally sync. (Good question to answer for
https://github.com/slightlyoff/EventWorker/ though as that would make
this difference observable.)


>> Do scripts even execute
>> in that context? How do you get blob URLs?
>
> In WebKit and Blink you can't execute any script anywhere in an SVG document. I am not sure about Gecko but this is the feedback I got. Maybe someone from Mozilla can answer this.

You mean SVG image right? So how do you get a blob URL?


>> I suppose we could have a mode for that in Fetch too, but it seems
>> really SVG specific so I'm not sure that's warranted.
>
> Yes, it is quite SVG specific. I am fine with just dealing with it in SVG as long as possible. And I think it is not possible without changing the fetching on the requesters like <img>. (This is the case for CSS as well btw, which can reference SVG images - different topic.)

Well, for HTML <img> it's not about fetching. It just has to say that
when it gets SVG back, it sets the "locked down flag" or the "image
flag" or uses SVG in "image mode" or however SVG decides to name that.


> The second case would indeed need a flag like "locked down flag". This would just allow fetching of resources in the same document, dataURLs (with lock down for the content of dataURL) and possibly blob URLs.

There's no such thing as fetching resources in the same document.


> The requester needs to set this "lock down flag". So ideally it would be specified by the Fetch specification. Legacy fetching (used for image fetching) would set this flag by default. In this case no other specification but Fetch and CSS would need to change.

No that's not how this flag works. The flag is for an SVG resource and
when you interpret that resource and do SVG fetching it would come
into effect.


-- 
http://annevankesteren.nl/



More information about the whatwg mailing list