W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2013

Re: [whatwg] Fetch SVG images with No CORS tainted cross-origin

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 6 Dec 2013 19:41:34 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Message-ID: <alpine.DEB.2.00.1312061936120.27766@ps20323.dreamhostps.com>
Cc: whatwg@lists.whatwg.org
On Tue, 26 Nov 2013, Boris Zbarsky wrote:
> On 11/26/13 5:50 PM, Ian Hickson wrote:
> > > But the image inside this image would also be loaded as basic fetch 
> > > tainted cross origin. Right?
> > 
> > That's up to SVG.
> 
> Note that Gecko has serious security concerns with allowing subresource 
> loads like this in SVG loaded via <img>; we currently disallow them 
> altogether due to those concerns.  Such SVG documents can link to things 
> internal to themselves and to data: URIs, but not to anything requiring 
> network access.
> 
> SVG loaded via <object> is a different story, of course.

The spec currently says:

"User agents must not support non-image resources with the img element 
(e.g. XML files whose root element is an HTML element). User agents must 
not run executable code (e.g. scripts) embedded in the image resource. 
User agents must only display the first page of a multipage resource (e.g. 
a PDF file). User agents must not allow the resource to act in an 
interactive fashion, but should honor any animation in the resource."

I'm happy to add more (e.g. blocking subresources). I'd be even happier to 
do so in a way that explicitly hooks in to some logic on the SVG spec side 
that defines exactly how subresources and scripts are turned off.

Any other implementors agree with Mozilla on this?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 6 December 2013 19:42:00 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:14 UTC