Re: [CSP] SVG-in-img implementation difference

On Wed, Apr 23, 2014 at 3:24 PM, Mike West <mkwst@google.com> wrote:
> Given that, consider two scenarios:
>
> A. 'https://example.com/image.jpg' which redirects to
> 'https://evil.com/image.jpg'
> B. 'https://example.com/image.svg' which loads 'https://evil.com/image.jpg'
>
> If we disallow A, why would we allow B?

I don't think Gecko allows SVG-as-image to load other resources as
that would be less "safe" than <img>. It's a minor privacy violation.
Again, the problem here is that SVG-as-image is not a well defined
concept.


-- 
http://annevankesteren.nl/

Received on Wednesday, 23 April 2014 13:31:46 UTC