- From: Amelia Bellamy-Royds via GitHub <sysbot+gh@w3.org>
- Date: Sun, 18 Aug 2019 20:09:17 +0000
- To: public-svg-issues@w3.org
@longsonr Can you explain which part of that issue is relevant? (There's 9 years of comments & much of it is out of date). Conforming SVG-as-image loads shouldn't be allowed to make `<use>` references to other _files_, same origin or not. (SVG as image should never trigger additional file fetches of any type.) If the SVG is loaded as an active document (iframe, object, view image in its own tab), then cross-origin pings to other domains can already happen using `<image>`, as in the original example in that thread, so cross-origin `<use>` doesn't add an extra risk. (Unless the hosting domain is sanitizing the SVG files for crossorigin `href` on some elements but not on others. But I don't know of any such file scrubbers.) -- GitHub Notification of comment by AmeliaBR Please view or discuss this issue at https://github.com/w3c/svgwg/issues/707#issuecomment-522351290 using your GitHub account
Received on Sunday, 18 August 2019 20:09:19 UTC