- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 23 Apr 2014 15:31:19 +0200
- To: Mike West <mkwst@google.com>
- Cc: Ted Mielczarek <ted@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Apr 23, 2014 at 3:24 PM, Mike West <mkwst@google.com> wrote: > Given that, consider two scenarios: > > A. 'https://example.com/image.jpg' which redirects to > 'https://evil.com/image.jpg' > B. 'https://example.com/image.svg' which loads 'https://evil.com/image.jpg' > > If we disallow A, why would we allow B? I don't think Gecko allows SVG-as-image to load other resources as that would be less "safe" than <img>. It's a minor privacy violation. Again, the problem here is that SVG-as-image is not a well defined concept. -- http://annevankesteren.nl/
Received on Wednesday, 23 April 2014 13:31:46 UTC