- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 27 Nov 2013 14:08:56 +0000
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: WHATWG <whatwg@lists.whatwg.org>
On Wed, Nov 27, 2013 at 1:13 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > Note that Gecko has serious security concerns with allowing subresource > loads like this in SVG loaded via <img>; we currently disallow them > altogether due to those concerns. Such SVG documents can link to things > internal to themselves and to data: URIs, but not to anything requiring > network access. > > SVG loaded via <object> is a different story, of course. It seems weird to say "Gecko has serious security concerns". Either there's a factual security issue or not, right? And as far as I can tell the issue is that if someone allows uploading SVG images, people could include tracker images in those SVG images. And therefore the SVG specification should simply outlaw that. Note that even then those SVG images cannot be hosted same-origin unless you run them through some kind of whitelist-based filter. -- http://annevankesteren.nl/
Received on Wednesday, 27 November 2013 14:09:28 UTC