- From: Lea Verou via GitHub <sysbot+gh@w3.org>
- Date: Sat, 22 Jun 2024 14:40:23 +0000
- To: public-css-archive@w3.org
@zcorpan If a static image is hotlinked, it can absolutely phone home, since it can be server-generated and the URL rewritten to look like a regular static image. Though I see your point: if SVGs could phone home, disallowing hotlinking would not be enough. But then it sounds like same-origin URLs should be fine? @tabatkins What is insecure about SVGs being able to link to **same origin URLs**? We can introduce an opt-in mechanism for cross-origin requests. @brandonmcconnell Whatever we come up with should work in CSS too, which is the biggest pain point (for HTML one can always use `<object>` worst case). An attribute doesn’t. @BlackStar1991 Nobody is talking about clicking hyperlinks. I doubt that’s even possible with the current image rendering pipeline. This is about linking to **resources** like fonts, CSS files, or other SVGs. -- GitHub Notification of comment by LeaVerou Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/10481#issuecomment-2184056836 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 22 June 2024 14:40:24 UTC