Re: [filter-effects][css-masking] Move security model for resources to CSP

On Tue, Apr 9, 2013 at 2:45 PM, Dirk Schulze <dschulze@adobe.com> wrote:
> I actually just was reminded on one possible security flaw with SVG image and external references.
>
> Take an account at Twitter or Facebook. For both it is not possible to upload an SVG as image. One reason could be the following scenario:
> * I upload an SVG file and add a image reference in the SVG file <image xlink:href=…"/>
> * This reference has a different origin where the image (e.g a PNG) is hosted
> * The sever hosting this image now can log how often the image was loaded and can make assumptions how often the user profile was clicked on this portal.

I suggest reading carefully through the bug Robert referenced and my
analyses in response. We discussed exactly this.


--
http://annevankesteren.nl/

Received on Tuesday, 9 April 2013 13:50:15 UTC