- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Wed, 13 Jul 2022 17:02:22 +0000
- To: public-css-archive@w3.org
The CSS Working Group just discussed `[css-mediaqueries] Should prefers-color-scheme in SVG images be context-dependent?`, and agreed to the following: * `RESOLVED: prefers-color-scheme in SVG rendered in secure animated mode is context-dependent` <details><summary>The full IRC log of that discussion</summary> <fantasai> Topic: [css-mediaqueries] Should prefers-color-scheme in SVG images be context-dependent?<br> <fantasai> github: https://github.com/w3c/csswg-drafts/issues/7213<br> <fantasai> emilio: I did check with the security folks at MOzilla, and they weren't concerned about making this apply even more generally to iframes<br> <fantasai> emilio: Only attack is if a page is in an iframe and a top-level frame, can determine ???<br> <fantasai> emilio: But no problem for SVG images<br> <fantasai> emilio: I think it'd be nice to do it for iframes as well<br> <fantasai> emilio: My discussion with them was that it's not a big concern, idk if other folks have an opinion<br> <fantasai> smfr: On the WebKit side would be much more reluctant to do on iframes, but OK for SVG images<br> <fantasai> smfr: Was having trouble finding text in HTML spec that SVG couldn't run script or load external images<br> <fantasai> smfr: so part of this issue needs to clarify when SVG can load external resources or run script<br> <chris> q+<br> <fantasai> emilio: Why reluctant to make it work on iframes?<br> <fantasai> emilio: We already communicate info about backgrounds<br> <fantasai> smfr: I'd have to go back and ask the security ppl<br> <astearns> ack chris<br> <fantasai> chris: SVG images in <img> tag don't run scripts or fetch resources<br> <dholbert> smfr: RE where it's defined that SVG Images don't run scripts, that's defined in https://svgwg.org/specs/integration/<br> <fantasai> chris: if they are in <object> they can fetch and run script<br> <fantasai> chris: It's not a function of SVG, but function of SVG's integration in external environment and what it allows them to do<br> <dholbert> see https://svgwg.org/specs/integration/#secure-animated-mode<br> <fantasai> astearns: When in <object> ...<br> <dholbert> "Secure animated mode"<br> <fantasai> chris: They can do everything<br> <fantasai> astearns: Are they SVG images?<br> <fantasai> chris: Yes, just not using an <img> tags<br> <smfr> dholbert: but HTML doesn’t reference that everywhere it needs to<br> <fantasai> emilio: From implementation point of view, they are iframes<br> <TabAtkins> (as far as I recall) Chrome is fine with passing into any SVG that can't fetch or run script (aka <img> tags), and same-origin iframes.<br> <fantasai> chris: Also if displayed standalone, same thing<br> <fantasai> chris: they can run scripts, fetch resources, etc.<br> <TabAtkins> We just don't want to open up new cross-origin communication bits.<br> <fantasai> emilio: Seems there would be no objection to doing on SVG images<br> <fantasai> emilio: and maybe file an issue about iframes<br> <fantasai> smfr: Sounds good<br> <astearns> ack TabAtkins<br> <fantasai> TabAtkins: from what I recall, Chrome is fine with this so long as it doesn't open up new cross-origin communication bits<br> <fantasai> TabAtkins: So SVG as img should be fine<br> <fantasai> TabAtkins: and same-origin iframe should be fine<br> <fantasai> smfr: That matches WebKit's preference, too<br> <fantasai> emilio: OK, then we can discuss iframes separately<br> <fantasai> emilio: I'm more interested in this SVG case<br> <fantasai> emilio: It's not easy for the iframe to tell where the preference comes from<br> <fantasai> emilio: we can discuss another time<br> <astearns> ack fantasai<br> <Zakim> fantasai, you wanted to propose resolution<br> <fantasai> fantasai: Seems we have consensus on SVG as <img> and also same-origin iframe<br> <fantasai> ???: what about SVG's that are rendered through CSS?<br> <fantasai> fantasai: There's an embedding mode for SVG that does this, so anything in that embedding mode<br> <fantasai> astearns: Maybe let's take a resolution on SVG first<br> <fantasai> emilio: draw background in iframes, that doesn't care about same vs cross-origin, so unsure how to do that<br> <fantasai> astearns: proposed that prefers-color-scheme in SVG-images is context-dependent<br> <fantasai> smfr: "SVG rendered in secure animated mode"<br> <smfr> https://svgwg.org/specs/integration/#secure-animated-mode<br> <fantasai> astearns: objections?<br> <fantasai> RESOLVED: prefers-color-scheme in SVG rendered in secure animated mode is context-dependent<br> <fantasai> Meeting closed.<br> <astearns> zakim, end meeting<br> <Zakim> As of this point the attendees have been flackr, bramus, emilio, dholbert, rachelandrew, argyle, dbaron, alisonmaher, TabAtkins, plinss, jfkthame, chrishtr, jensimmons, GameMaker,<br> <Zakim> ... oriol, faceless, fantasai, bkardell_, dandclark, lea, bradk, tantek, hober<br> <Zakim> RRSAgent, please draft minutes v2<br> <RRSAgent> I have made the request to generate https://www.w3.org/2022/07/13-css-minutes.html Zakim<br> <Zakim> I am happy to have been of service, astearns; please remember to excuse RRSAgent. Goodbye<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/7213#issuecomment-1183468735 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 13 July 2022 17:02:24 UTC