Perhaps this quite recent FPWD can provide some clarity around the concepts? http://www.w3.org/TR/svg-integration/ On Wed, Apr 23, 2014 at 6:31 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Wed, Apr 23, 2014 at 3:24 PM, Mike West <mkwst@google.com> wrote: > > Given that, consider two scenarios: > > > > A. 'https://example.com/image.jpg' which redirects to > > 'https://evil.com/image.jpg' > > B. 'https://example.com/image.svg' which loads ' > https://evil.com/image.jpg' > > > > If we disallow A, why would we allow B? > > I don't think Gecko allows SVG-as-image to load other resources as > that would be less "safe" than <img>. It's a minor privacy violation. > Again, the problem here is that SVG-as-image is not a well defined > concept. > > > -- > http://annevankesteren.nl/ > >Received on Wednesday, 23 April 2014 14:53:20 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC
