W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2013

Re: [whatwg] Fetch SVG images with No CORS tainted cross-origin

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 27 Nov 2013 14:08:56 +0000
Message-ID: <CADnb78jaDA6aYsePoGTONp_yRsRDyLXpQhepr4wLDmcMiEy5DA@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WHATWG <whatwg@lists.whatwg.org>
On Wed, Nov 27, 2013 at 1:13 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Note that Gecko has serious security concerns with allowing subresource
> loads like this in SVG loaded via <img>; we currently disallow them
> altogether due to those concerns.  Such SVG documents can link to things
> internal to themselves and to data: URIs, but not to anything requiring
> network access.
> SVG loaded via <object> is a different story, of course.

It seems weird to say "Gecko has serious security concerns". Either
there's a factual security issue or not, right? And as far as I can
tell the issue is that if someone allows uploading SVG images, people
could include tracker images in those SVG images. And therefore the
SVG specification should simply outlaw that. Note that even then those
SVG images cannot be hosted same-origin unless you run them through
some kind of whitelist-based filter.

Received on Wednesday, 27 November 2013 14:09:28 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:14 UTC