W3C home > Mailing lists > Public > www-svg@w3.org > February 2011

Re: Announcement: Last Call WD of SVG 1.1 Second Edition

From: Robert O'Callahan <robert@ocallahan.org>
Date: Thu, 3 Feb 2011 01:21:07 +1300
Message-ID: <AANLkTimSpdCknRGVEMtXFAeMqT4BU1U8Q6wDFtGp9eA4@mail.gmail.com>
To: Erik Dahlstrom <ed@opera.com>
Cc: Doug Schepers <schepers@w3.org>, "www-svg@w3.org" <www-svg@w3.org>
On Thu, Feb 3, 2011 at 1:02 AM, Erik Dahlstrom <ed@opera.com> wrote:

> That depends on what "raster image" means to you, since that's what the
> pointer-events section you refer to has requirements on. I would say that
> <image xlink:href="foo.svg"> is not a raster image, whereas for example
> <image xlink:href="foo.png"> is. It would be simpler if the additional
> requirements were dropped, which would make both of these cases behave in a
> consistent manner.

Sure, we could declare that SVG images don't get the raster-image behavior
for pointer-events. That would be a bit unfortunate though, it'd be useful
to allow pointer events to go through transparent parts of SVG images.

>  Some things happened since my last message. For one thing, we implemented
>> <img src="foo.svg"> in Firefox and discovered security and privacy issues
>> if
>> you let foo.svg load resources cross-origin or maybe even let it load
>> resources from the same origin! So we're only allowing data: URLs in there
>> for now :-(. So my proposed attack is blocked by that.
> Could you describe these security and privacy issues in more detail? Are
> they issues stemming from CSS, HTML, SVG or a combination?

Hmm, I thought jwatt or heycam might have brought them up already.

Basically the problems are with sites that let you upload images. With SVG
images you can construct an image that contains an <image> pointing to a
resource on your server. Now, even after uploading that SVG image to a site,
you can track views of that image. This is a new capability --- the existing
image formats we support can't do this. It's not clear if sites that would
want to host SVG images are prepared for this.

You can block cross-origin loads but you have to be careful about open
redirectors --- you have to make sure that redirects aren't followed. It
seemed safer and easier to restrict SVG images to be completely
self-contained in Firefox 4, just like other images.

One thing to consider here is whether it's worth defining different
Content-Types for "fully self-contained image" and "image possibly
containing remote references" (and figure out which one you want to be the
default). This would let servers choose whether to support
non-self-contained images.

No, because we don't support pointer-events:visiblePainted or anything
>> equivalent.
> And that's never going to change? In light of what you write below it seems
> people want that functionality.

Indeed, I want it to change.

I think at this point we could implement pointer-events:visiblePainted for
all images without creating any information leaks. Later we could probably
relax the restrictions on SVG images a bit.

"Now the Bereans were of more noble character than the Thessalonians, for
they received the message with great eagerness and examined the Scriptures
every day to see if what Paul said was true." [Acts 17:11]
Received on Wednesday, 2 February 2011 12:21:40 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 March 2017 09:47:24 UTC