On Apr 9, 2013, at 6:49 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Apr 9, 2013 at 2:45 PM, Dirk Schulze <dschulze@adobe.com> wrote: >> I actually just was reminded on one possible security flaw with SVG image and external references. >> >> Take an account at Twitter or Facebook. For both it is not possible to upload an SVG as image. One reason could be the following scenario: >> * I upload an SVG file and add a image reference in the SVG file <image xlink:href=…"/> >> * This reference has a different origin where the image (e.g a PNG) is hosted >> * The sever hosting this image now can log how often the image was loaded and can make assumptions how often the user profile was clicked on this portal. > > I suggest reading carefully through the bug Robert referenced and my > analyses in response. We discussed exactly this. Great! To be honest it is a bit hard to follow. > > > -- > http://annevankesteren.nl/Received on Tuesday, 9 April 2013 13:52:15 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:49:45 UTC