- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 24 Oct 2012 18:07:40 -0400
- To: www-style@w3.org
On 10/24/12 5:56 PM, Dirk Schulze wrote: > Means resources like SVG mask, gradient,patterns,filters,clippath must > be from the same origin? Yes. > Why that? Because masking and such are detectable (e.g. for hit-testing), so if you do cross-origin loads there you can read information cross-origin from SVG files by using various parts of those files as masks. > SVG does not have such restrictions. The SVG spec doesn't have much in the way of security considerations at all. It's been a problem in the past. >> The latter can't be changed without breaking compat, but changing the >> former may expose security issues. > > Can you give me an example? How can an external mask cause a security > issue? See above. > How do you handle it on pure SVGs? Exactly the same way: all paint servers and whatnot must be same-origin with the linking file. The one "exception" is that paint servers from data: are OK; the concept of "origin" for data: is as usual a bit fuzzy. -Boris
Received on Wednesday, 24 October 2012 22:08:08 UTC