On Tue, Apr 9, 2013 at 6:54 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > You say "needs to be". Does that mean there's wiggle room given > current implementations? As I said before, they could all use "tainted > cross-origin" as fetching model and for returned mask resources that > means they will not work if marked CORS cross-origin. > That's an incompatible change for cross-origin SVG resources served with Access-Control-Allow-Origin. I suppose usage is low enough that is probably acceptable. So I think your approach to unifying the fetch algorithm could work OK. The remaining problem is "processed as an external resource document" vs "processed as a regular image load". For security reasons we restrict SVG image documents severely: in particular they may not trigger any kind of external load (e.g. images) of their own. On the other hand, SVG external resource documents are treated more leniently; they may load external images and other (same-origin) SVG external resource documents. I don't think we could maintain this distinction with your proposal. We can't relax the constraints on SVG image documents, so we'd have to severely restrict SVG external resource documents loaded via url(). They aren't currently used much (Webkit doesn't support them at all) so we could do that, but it would mean altering the SVG spec in incompatible ways and there might be content that breaks. And I'd really want to try implementing it before committing to this approach, since there might be lurking problems. Rob -- q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Tuesday, 9 April 2013 10:54:33 UTC