- From: Behdad Esfahbod <behdad@google.com>
- Date: Thu, 18 Sep 2014 13:01:14 +0200
- To: Sairus Patel <sppatel@adobe.com>
- Cc: "robert@ocallahan.org" <robert@ocallahan.org>, "public-svgopentype@w3.org" <public-svgopentype@w3.org>
- Message-ID: <CAOY=jUQUkt0drM+qnUzEHaT-Beo8xYSo2TqEg096JuR-uCvCHw@mail.gmail.com>
On Wed, Sep 17, 2014 at 7:43 PM, Sairus Patel <sppatel@adobe.com> wrote: > I think solid security best practices suggest we also add the > uncompressed length of each SVGZ doc (see Adobe’s original proposal I > pointed to earlier in the thread). > I don't think so. HTTP Transfer-Encoding doesn't include the original length for example. I never understood that argument. Clients can use heuristics to compensate. For example, a client can allocate an 8kb buffer on stack and try decompressing. Only if that is not sufficient, they need to do something else. Another approach would avoid allocating a full decompression buffer completely, by chaining a gzip decompression stream to the XML parsing library, completely obviating this issue. Note that gzip has a max compression rate of around 1100, so it's not like a 1kb gzip buffer can explode to gigabytes either. I don't think any action is needed here. It's convenient to have the original buffer length in case of WOFF, but not needed for any security reason IMO, and certainly not for any reasons other than convenience. behdad > So it looks like we need an ‘SVG ‘ table with version 1 (current OFF > proposal is version 0), with an optional set of uncompressed lengths > (perhaps a particular “uncompressed length” can be set to 0 to indicate > that its corresponding SVG doc is not compressed). Since such a version 1 > table using SVGZ would not be compatible with version 0 engines > (Mozilla’s), there would have to be some language indicating version 0 is > deprecated in some way or that engines may reject an SVGZ with version 0 > due to security reasons. This way, Behdad and others can continue to use > SVGZ with version 0. > > Sairus > > From: Robert O'Callahan <robert@ocallahan.org> > Reply-To: Robert O'Callahan <robert@ocallahan.org> > Date: Tuesday, September 16, 2014 at 2:07 PM > To: Behdad Esfahbod <behdad@google.com> > Cc: Sairus Patel <sppatel@adobe.com>, "public-svgopentype@w3.org" < > public-svgopentype@w3.org> > Subject: Re: Compressed SVG? (and a couple of announcements) > > On Wed, Sep 17, 2014 at 3:30 AM, Behdad Esfahbod <behdad@google.com> > wrote: > >> As a concrete proposal, I like to suggest updating the spec to allow >> SVGZ where SVG is currently accepted, with no other changes. WDYT? >> > > That sounds OK I guess. > > Rob > -- > oIo otoeololo oyooouo otohoaoto oaonoyooonoeo owohooo oioso oaonogoroyo > owoiotoho oao oboroootohoeoro oooro osoiosotoeoro owoiololo oboeo > osouobojoeocoto otooo ojouodogomoeonoto.o oAogoaoiono,o oaonoyooonoeo > owohooo > osoaoyoso otooo oao oboroootohoeoro oooro osoiosotoeoro,o o‘oRoaocoao,o’o > oioso > oaonosowoeoroaoboloeo otooo otohoeo ocooouoroto.o oAonodo oaonoyooonoeo > owohooo > osoaoyoso,o o‘oYooouo ofooooolo!o’o owoiololo oboeo oiono odoaonogoeoro > ooofo > otohoeo ofoioroeo ooofo ohoeololo. >
Received on Thursday, 18 September 2014 11:02:00 UTC