On Wed, Apr 10, 2013 at 1:25 AM, Robert O'Callahan <robert@ocallahan.org>wrote: > On Wed, Apr 10, 2013 at 1:15 AM, Anne van Kesteren <annevk@annevk.nl>wrote: > >> Furthermore, people could be tricked into loading the SVG >> resource directly! (It's not something you want to host same-origin >> for instance, whereas hosting a PNG same-origin is always fine.) >> > > That is a good point. I think we didn't consider that, and that may mean > it's just not safe to host uploaded SVG images at all currently, at least > not without severe sanitization. Needs more thought than I can give it > tonight. > It seems to me that with our current restrictions on SVG images, Web developers can safely host SVG images in a "sandbox" domain, and safely use those images cross-origin from the main site. If we enable external loads for SVG images, the examples of trickery in https://bugzilla.mozilla.org/show_bug.cgi?id=628747#c0 are enabled against such sites. So I still don't see any painless solution here. Rob -- q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Wednesday, 10 April 2013 02:51:51 UTC