- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 26 Nov 2013 20:13:51 -0500
- To: whatwg@lists.whatwg.org
On 11/26/13 5:50 PM, Ian Hickson wrote: >> But the image inside this image would also be loaded as basic fetch >> tainted cross origin. Right? > > That's up to SVG. Note that Gecko has serious security concerns with allowing subresource loads like this in SVG loaded via <img>; we currently disallow them altogether due to those concerns. Such SVG documents can link to things internal to themselves and to data: URIs, but not to anything requiring network access. SVG loaded via <object> is a different story, of course. -Boris
Received on Wednesday, 27 November 2013 01:14:25 UTC