W3C home > Mailing lists > Public > www-style@w3.org > October 2012

Re: [css4-images] support for SVG Paint Servers without element()

From: Dirk Schulze <dschulze@adobe.com>
Date: Wed, 24 Oct 2012 14:56:33 -0700
To: "robert@ocallahan.org" <robert@ocallahan.org>
CC: "www-style@w3.org list" <www-style@w3.org>
Message-ID: <63B1E1B2-3630-47D5-9D9C-6F541ECB08F5@adobe.com>


On Oct 24, 2012, at 2:51 PM, "Robert O'Callahan" <robert@ocallahan.org<mailto:robert@ocallahan.org>> wrote:

On Wed, Oct 24, 2012 at 4:19 AM, Dirk Schulze <dschulze@adobe.com<mailto:dschulze@adobe.com>> wrote:
Btw. you will run into the same problem with the 'fill' and 'stroke' properties. Both will take a paint server reference and a <image> value in SVG 2. (Resolved during the last SVG F2F.) This is why it makes more sense to be consistent IMO.

That is a big problem :-(. I'll bring it up with the SVG working group.

Apart from what I already mentioned, we apply a same-origin restriction when loading external resource documents but not when loading images.

Means resources like SVG mask, gradient,patterns,filters,clippath must be from the same origin? Why that? SVG does not have such restrictions.


The latter can't be changed without breaking compat, but changing the former may expose security issues.


Can you give me an example? How can an external mask cause a security issue? How do you handle it on pure SVGs?

Dirk

Rob
--
“You have heard that it was said, ‘Love your neighbor and hate your enemy.’ But I tell you, love your enemies and pray for those who persecute you, that you may be children of your Father in heaven. ... If you love those who love you, what reward will you get? Are not even the tax collectors doing that? And if you greet only your own people, what are you doing more than others?" [Matthew 5:43-47]

Received on Wednesday, 24 October 2012 21:57:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:21:01 GMT