- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 27 Nov 2013 11:39:23 -0500
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WHATWG <whatwg@lists.whatwg.org>
On 11/27/13 9:08 AM, Anne van Kesteren wrote: > It seems weird to say "Gecko has serious security concerns". Either > there's a factual security issue or not, right? In theory, yes. In practice, opinions seem to differ, not least because one person's security/privacy issue is another's business model. In this particular case, last I checked, other UAs are more permissive than Gecko, and seem to not care about the issue we care about in this situation. > And as far as I can tell the issue is that if someone allows uploading SVG images, people > could include tracker images in those SVG images. That's correct. > And therefore the SVG specification should simply outlaw that. I'm all for that, obviously. ;) > Note that even then those SVG images cannot be hosted same-origin unless you run them through > some kind of whitelist-based filter. Indeed. -Boris
Received on Wednesday, 27 November 2013 16:39:59 UTC