- From: Dirk Schulze <dschulze@adobe.com>
- Date: Mon, 2 Dec 2013 02:35:31 -0800
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: WHATWG <whatwg@lists.whatwg.org>
The document “SVG Integration Module Level 1” [1] is going to define the specifics of fetching in SVG. I hope to find the time to add actual content in January and would be happy for reviews after that. Greetings, Dirk [1] https://dvcs.w3.org/hg/svg2/raw-file/7a902f4a33f6/specs/integration/Overview.html On Nov 27, 2013, at 5:39 PM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote: > On 11/27/13 9:08 AM, Anne van Kesteren wrote: >> It seems weird to say "Gecko has serious security concerns". Either >> there's a factual security issue or not, right? > > In theory, yes. > > In practice, opinions seem to differ, not least because one person's > security/privacy issue is another's business model. > > In this particular case, last I checked, other UAs are more permissive > than Gecko, and seem to not care about the issue we care about in this > situation. > >> And as far as I can tell the issue is that if someone allows uploading SVG images, people >> could include tracker images in those SVG images. > > That's correct. > >> And therefore the SVG specification should simply outlaw that. > > I'm all for that, obviously. ;) > >> Note that even then those SVG images cannot be hosted same-origin unless you run them through >> some kind of whitelist-based filter. > > Indeed. > > -Boris >
Received on Monday, 2 December 2013 10:36:09 UTC