W3C home > Mailing lists > Public > www-style@w3.org > October 2012

Re: [css4-images] support for SVG Paint Servers without element()

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 24 Oct 2012 18:07:40 -0400
Message-ID: <508866AC.4010305@mit.edu>
To: www-style@w3.org
On 10/24/12 5:56 PM, Dirk Schulze wrote:
> Means resources like SVG mask, gradient,patterns,filters,clippath must
> be from the same origin?

Yes.

> Why that?

Because masking and such are detectable (e.g. for hit-testing), so if 
you do cross-origin loads there you can read information cross-origin 
from SVG files by using various parts of those files as masks.

> SVG does not have such restrictions.

The SVG spec doesn't have much in the way of security considerations at 
all.  It's been a problem in the past.

>> The latter can't be changed without breaking compat, but changing the
>> former may expose security issues.
>
> Can you give me an example? How can an external mask cause a security
> issue?

See above.

> How do you handle it on pure SVGs?

Exactly the same way: all paint servers and whatnot must be same-origin 
with the linking file.  The one "exception" is that paint servers from 
data: are OK; the concept of "origin" for data: is as usual a bit fuzzy.

-Boris
Received on Wednesday, 24 October 2012 22:08:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:21:01 GMT