- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Thu, 19 Sep 2019 05:30:14 +0000
- To: public-svg-issues@w3.org
The SVG Working Group just discussed `Referencing SVGs through USE from other domains`, and agreed to the following: * `RESOLVED: defer cross origin use element references to post-SVG 2` <details><summary>The full IRC log of that discussion</summary> <heycam> Topic: Referencing SVGs through USE from other domains<br> <heycam> github: https://github.com/w3c/svgwg/issues/707<br> <heycam> AmeliaBR: cross origin use elements<br> <heycam> ... right now, use elements can clone from the same file, or from a different file on the same domain. we do have good support for both of those<br> <heycam> ... we have no way of cloning from a file on another domain, which is problematic for people who use CDNs for static assets<br> <heycam> krit: we already resolved to move that to SVG 2, but Blink is waiting for feedback if they can implement it<br> <heycam> AmeliaBR: Robert Longson, Mozilla contributor, pointed out other browsers haven't supported <image>, <feImage>, cross origin references<br> <heycam> ... so shouldn't count on them doing it for <use><br> <heycam> ... but we did have fsoder on the Chromium team saying it shouldn't be too difficult to consider<br> <heycam> emilio: from Opera<br> <heycam> krit: do we stand by our resolution to defer?<br> <heycam> AmeliaBR: we all agree it's desired, but should it be in SVG 2<br> <heycam> myles: are there implementations?<br> <heycam> emilio: no<br> <heycam> myles: then it shouldn't be in SVG 2<br> <heycam> emilio: what are the security implementations? not confident enough about that<br> <heycam> AmeliaBR: it's similar to other active content references, cross origin filters<br> <heycam> emilio: but cross origin use elements insert content inside the host document<br> <heycam> ... it's not the same as just applying a filter<br> <heycam> emilio: if you leave the foreignObject details as is, that could be a security issue<br> <heycam> AmeliaBR: the other things we strip are things like scripts<br> <heycam> emilio: scripts only run once, so the clone knows the script has already run<br> <heycam> AmeliaBR: and you don't scripts in the external file<br> <heycam> ... but security things would need to be spelled out clearly<br> <heycam> emilio: someone should do a security audit of the feature<br> <heycam> ... cross origin filters, didn't want we want to remove them?<br> <heycam> mstange: it's come up again and again<br> <heycam> ... this is filter on cross origin iframes<br> <heycam> ... nobody has suggested removing cross origin images referenced by feImage<br> <heycam> AmeliaBR: the closest thing here is something like HTML Imports, cloning content into the DOM from another file<br> <heycam> ... even for that reason, let's wait for the HTML folks to figure out the security concerns here<br> <heycam> ... and we really need to get SVG 2 stabilized<br> <heycam> ... minutes from Jul 16 had 3 different solutions<br> <heycam> ... we'll go back to the first one: add cross origin use references to a future spec, rather than in SVG 2 and at risk<br> <heycam> krit: I would rather let us defer the entire feature<br> <heycam> AmeliaBR: so override our July resolution to put it in the spec as at risk, and just say we'd like to it, but not in SVG 2. maybe add a note to authors/implementors in the spec<br> <heycam> krit: could also be done in the CG<br> <heycam> RESOLVED: defer cross origin use element references to post-SVG 2<br> <AmeliaBR> All text issues: https://github.com/w3c/svgwg/issues?q=is%3Aopen+is%3Aissue+label%3A%22Text+chapter%22<br> <AmeliaBR> Two tagged internationalization: https://github.com/w3c/svgwg/issues?q=is%3Aopen+is%3Aissue+label%3Ai18n-tracking<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/svgwg/issues/707#issuecomment-532972664 using your GitHub account
Received on Thursday, 19 September 2019 05:30:16 UTC