W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [CSP] SVG-in-img implementation difference

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 23 Apr 2014 07:52:47 -0700
Message-ID: <CAEeYn8id=FSXOQ7JGATDfgL6k9=PFHy02ox47X6Fabri8WTzHQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, Ted Mielczarek <ted@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Perhaps this quite recent FPWD can provide some clarity around the concepts?

http://www.w3.org/TR/svg-integration/


On Wed, Apr 23, 2014 at 6:31 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Apr 23, 2014 at 3:24 PM, Mike West <mkwst@google.com> wrote:
> > Given that, consider two scenarios:
> >
> > A. 'https://example.com/image.jpg' which redirects to
> > 'https://evil.com/image.jpg'
> > B. 'https://example.com/image.svg' which loads '
> https://evil.com/image.jpg'
> >
> > If we disallow A, why would we allow B?
>
> I don't think Gecko allows SVG-as-image to load other resources as
> that would be less "safe" than <img>. It's a minor privacy violation.
> Again, the problem here is that SVG-as-image is not a well defined
> concept.
>
>
> --
> http://annevankesteren.nl/
>
>
Received on Wednesday, 23 April 2014 14:53:20 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 23 April 2014 14:53:20 UTC