On Sun, Feb 10, 2013 at 9:16 AM, Dirk Schulze <dschulze@adobe.com> wrote: > At WebKit, we decided that we could not predict possible security issues > with allowing arbitrary content on glyphs at the time of implementing SVG > Fonts. Even if it looks like we have a somehow trustable security concept, > it sounds like an unnecessary risk. In general I would like to limit the > graphical elements to basic shapes. I am not even sure if <text> would make > a lot of sense on a glyph, but it might be ok. It would require a font, > which most likely is an external resource so. > We decided to make the restrictions on SVG glyphs be exactly the same as the restrictions on SVG images. We've seen no reason to believe there are any additional security issues for SVG glyphs. Rob -- Wrfhf pnyyrq gurz gbtrgure naq fnvq, “Lbh xabj gung gur ehyref bs gur Tragvyrf ybeq vg bire gurz, naq gurve uvtu bssvpvnyf rkrepvfr nhgubevgl bire gurz. Abg fb jvgu lbh. Vafgrnq, jubrire jnagf gb orpbzr terng nzbat lbh zhfg or lbhe freinag, naq jubrire jnagf gb or svefg zhfg or lbhe fynir — whfg nf gur Fba bs Zna qvq abg pbzr gb or freirq, ohg gb freir, naq gb tvir uvf yvsr nf n enafbz sbe znal.” [Znggurj 20:25-28]
Received on Sunday, 10 February 2013 08:57:21 UTC