W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2013

Re: [whatwg] Fetch SVG images with No CORS tainted cross-origin

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 27 Nov 2013 11:39:23 -0500
Message-ID: <5296203B.9080503@mit.edu>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WHATWG <whatwg@lists.whatwg.org>
On 11/27/13 9:08 AM, Anne van Kesteren wrote:
> It seems weird to say "Gecko has serious security concerns". Either
> there's a factual security issue or not, right?

In theory, yes.

In practice, opinions seem to differ, not least because one person's 
security/privacy issue is another's business model.

In this particular case, last I checked, other UAs are more permissive 
than Gecko, and seem to not care about the issue we care about in this 
situation.

> And as far as I can tell the issue is that if someone allows uploading SVG images, people
> could include tracker images in those SVG images.

That's correct.

> And therefore the SVG specification should simply outlaw that.

I'm all for that, obviously.  ;)

> Note that even then those SVG images cannot be hosted same-origin unless you run them through
> some kind of whitelist-based filter.

Indeed.

-Boris
Received on Wednesday, 27 November 2013 16:39:59 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:14 UTC