Re: [css4-images] support for SVG Paint Servers without element()

On 10/24/12 5:56 PM, Dirk Schulze wrote:
> Means resources like SVG mask, gradient,patterns,filters,clippath must
> be from the same origin?

Yes.

> Why that?

Because masking and such are detectable (e.g. for hit-testing), so if 
you do cross-origin loads there you can read information cross-origin 
from SVG files by using various parts of those files as masks.

> SVG does not have such restrictions.

The SVG spec doesn't have much in the way of security considerations at 
all.  It's been a problem in the past.

>> The latter can't be changed without breaking compat, but changing the
>> former may expose security issues.
>
> Can you give me an example? How can an external mask cause a security
> issue?

See above.

> How do you handle it on pure SVGs?

Exactly the same way: all paint servers and whatnot must be same-origin 
with the linking file.  The one "exception" is that paint servers from 
data: are OK; the concept of "origin" for data: is as usual a bit fuzzy.

-Boris

Received on Wednesday, 24 October 2012 22:08:08 UTC