Re: [svgwg] Distinguish Two Main SVG Types of Usage (#837) from Tony Proctor via GitHub on 2021-04-24 (public-svg-issues@w3.org from April 2021)

From: Tony Proctor via GitHub <sysbot+gh@w3.org>
Date: Sat, 24 Apr 2021 10:25:24 +0000
To: public-svg-issues@w3.org
Message-ID: <issue_comment.created-826071258-1619259923-sysbot+gh@w3.org>

Hi Robert. That section is not addressing the same issue, and those categories would apply equally to the two scenarios that I mentioned. It's a big issue for me because of my "application" usage. I'm unclear as to how many other products fall into the same style of usage, but if you use Google for almost anything SVG-related then you'll be deluged by stuff about "SVG images" and "SVG files", thus pointing to a skew in its usage elsewhere.

Let me clarify my situation: my product (SVG-FTG) compiles a graphical application design (i.e. defined predominantly by using a mouse on a desktop screen) into a web application that involves HTML, inline SVG, CSS, and JavaScript. The inline SVG is used in the application UI,, just as with HTML elements such as div, and so on. They have a common event mechanism and CSS styling, and so in this guise SVG is no less secure than the hosting HTML.

Unfortunately, some hosting sites ignore SVG completely, and when pressed they cite the security issues, but without being specific. As far as I'm aware, these issues relate to certain potential threats when an SVG file is naively accessed as an image file, thereby not appreciating that it is a document file rather than a normal image file (e.g. if an SVG file with malicious content is deployed as a CSS background image).

I can understand such sites being careful if you try to upload an SVG file as as image, but a significant number also disable inline SVG for no clear reason, other than possible ignorance.

Both of these scenarios (application UI versus separate file) can include the same range of SVG features, and so it's more about how that SVG is deployed. The issue is genuine but I'm open to other suggestions. It could be argued that it is one education, but those ill-informed views seem entrenched, and it might even explain why this long-standing technology is nowhere near as accepted as HTML.

--
GitHub Notification of comment by ACProctor
Please view or discuss this issue at https://github.com/w3c/svgwg/issues/837#issuecomment-826071258 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 24 April 2021 10:25:28 UTC