- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Mon, 15 Jul 2019 20:45:54 +0000
- To: public-svg-issues@w3.org
The SVG Working Group just discussed `Referencing SVGs through USE from other domains`, and agreed to the following: * `RESOLUTION: Add cross-origin attribute to the <use> element in a current or future spec` * `RESOLVED: Add cross-origin attribute to the <use> element in a current or future spec` * `RESOLVED: Add the cross-origin attribute to the <use> element to SVG 2, and mark it at-risk` * `RESOLVED: Request implementation feedback about the cross-origin attribute to the <use> attribute` <details><summary>The full IRC log of that discussion</summary> <myles> Topic: Referencing SVGs through USE from other domains<br> <myles> GitHub: https://github.com/w3c/svgwg/issues/707<br> <myles> AmeliaBR: Should we add a cross origin attribute to the use element.<br> <myles> AmeliaBR: Right now, none of the browsers support <use> references to cross-origin files. But they do support it to the same origin.<br> <myles> AmeliaBR: When SVG introduced the cross-origin attribute for <image> and <script>, it was added to <use> but it got pulled back because it was unclear how it would work with shadow dom, and how that would affect cross-origin. I think that is cleared up now. The way we agreed that <use> should be a closed shadow dom where you can't access the internals<br> <myles> krit: I don't think we have consensus on that<br> <myles> AmeliaBR: I thought we agreed? I can dig up the issue<br> <AmeliaBR> https://github.com/w3c/svgwg/issues/363<br> <myles> AmeliaBR: Everyone agrees.<br> <myles> AmeliaBR: But! Neither of those really make a difference. All those complications would be the same. The use case brought up in this new issue makes a good point, that because cross-origin <use> isn't supported, the workaround that authors have to use is to fetch the cross-origin file with script, and then inject the markup directly in their page, because this is less-secure than <use> cross references, we say things like "don't run scripts"<br> <myles> krit: But if there is a less-secure method, then providing a more-secure method isn't necessarily a win for the users<br> <myles> AmeliaBR: There are two risks. 1) Allowing the current webpage access to the content from the other domain, but I'm not suggesting that we should allow free origin; it should be based on CORS<br> <myles> AmeliaBR: This is security for the webpage author when you're referencing a 3rd party domain, where the content on that 3rd party domain might change.<br> <myles> AmeliaBR: We get a little bit of extra security if the page author opts into it. Like CSP.<br> <myles> AmeliaBR: Also, it's easier for the author (less lines of code)<br> <myles> krit: We already define cross-origin attribute for other elements. Specification-wise, it wouldn't be a big deal to add it. Do you think implementations would implement it? Or should we move it to SVG 2.1.<br> <myles> AmeliaBR: I'd like to resolve that we'd like to add this, but then ask implementors whether they think it can come in the short term or whether it should be delayed<br> <myles> krit: Any concerns for adding the cross-origin attribute to <use>?<br> <myles> <silence><br> <myles> RESOLUTION: Add cross-origin attribute to the <use> element in a current or future spec<br> <myles> RESOLVED: Add cross-origin attribute to the <use> element in a current or future spec<br> <myles> krit: Since we resolved on that part, we can at least have a note with our intentions into SVG 2.<br> <myles> AmeliaBR: Sure. We can add a note and open issue, requesting implementor issue<br> <myles> krit: That's part two. For now, let's resolve on a note.<br> <myles> <some general discussion about the merits of a note vs normative text><br> <myles> AmeliaBR: We should start the request for feedback right away, on the issue therad.<br> <myles> *thread<br> <myles> RESOLVED: Add the cross-origin attribute to the <use> element to SVG 2, and mark it at-risk<br> <myles> RESOLVED: Request implementation feedback about the cross-origin attribute to the <use> attribute<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/svgwg/issues/707#issuecomment-511563129 using your GitHub account
Received on Monday, 15 July 2019 20:45:56 UTC