- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 26 Nov 2013 22:50:48 +0000 (UTC)
- To: Dirk Schulze <dschulze@adobe.com>
- Cc: "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>
On Fri, 13 Sep 2013, Dirk Schulze wrote: > > If I understand HTML <img> fetching and the fetch spec right. The > default behavior on image fetching is No CORS with the mode tainted > cross-origin. > > For the example: <img src="image.svg"> > > and image.svg: > > <svg> > <image xlink:href="http://otherdomain.com/image.svg"> > </svg> > > In this case the image.svg would be fetched with basic fetch and tainted > cross-origin. Not sure what you mean by "basic" fetch, but more or less, sure. > But the image inside this image would also be loaded as basic fetch > tainted cross origin. Right? That's up to SVG. > To summarize. We have two kind of possibilities of fetching in SVG: > > SVG with "single security origin": The SVG is not allowed to fetch any > external resources. References in the same document and dataURLs, blobs > are allowed. > > SVG "as document": Allowed to fetch resources with No CORS - But: > possibly CORS enabled depending on the referencing element (<object>, > <embed> or <iframe>). > > Would it be possible to define it that way? If the former named > elements, then use the fetching mechanism defined by these elements. > Otherwise use "single security origin"? Could Fetch define "single > security origin"? Anne answered the Fetch side of this; on the HTML side, I'm happy to invoke a hook if SVG provides one. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 26 November 2013 22:51:12 UTC