- From: Lea Verou via GitHub <sysbot+gh@w3.org>
- Date: Fri, 21 Jun 2024 11:34:57 +0000
- To: public-css-archive@w3.org
LeaVerou has just created a new issue for https://github.com/w3c/csswg-drafts: == [svg] Is there any way we could allow SVGs to link to other files? == One of the biggest SVG pain points is around how locked down SVGs used in `<img>` or CSS background images are. My (potentially incorrect) understanding is that it was easier to do that at the time than properly investigate what the boundary is between addressing use cases while protecting end-users, and there was no interest from UAs to do the latter. There seemed to be some activity recently around fixing longstanding SVG pain points, and some renewed interest from UAs, so it may be an opportune point to revisit this. Currently, SVGs used in `<img>` or CSS are severely crippled: - They cannot reference any web fonts, so any text is limited to system fonts. This harms accessibility as well, since authors have to resort to converting text to outlines, often with no textual fallback. - They cannot reference external stylesheets, so they have no access to the page’s design tokens (colors, fonts, etc.) - They cannot reference other SVGs so simple variations (e.g. a monochrome version of a logo or a + modifier on an icon) need to duplicate the entire graphic. Could security folks explain the security risks involved so we could come up with a better solution than the current blanket ban on referencing (non-local) URLs? I’m really struggling to see what security risk importing a same-origin URL involves, especially when it’s one that’s *already* imported by the current document, but I’m not a security expert so I could be missing something. Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/10481 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 21 June 2024 11:34:58 UTC