W3C home > Mailing lists > Public > www-style@w3.org > September 2015

Re: SVG image security restrictions

From: Robert O'Callahan <robert@ocallahan.org>
Date: Tue, 15 Sep 2015 12:04:29 +1200
Message-ID: <CAOp6jLYewCMyPPvyyj7Q7wHy3ef0_ypoa_EE-3VPe8nWXkDmMA@mail.gmail.com>
To: "public-fx@w3.org" <public-fx@w3.org>, www-style <www-style@w3.org>
Oops, sent too early.

We could add a new image-loading mechanism that lets authors opt into
allowing SVG images to load external resources. However, that may make it
too easy for authors to accidentally enable the above scenarios.

A better idea might be to provide a way to pass in resources as parameters,
including from a CSS style sheet. This might even perform better if you
have a lot of SVG images using the same resources. Sketch:
  background-image: url-with-params("image.svg", "shared-resources.svg");
In the SVG:
  <rect fill="param(1#pattern)">
You'd require everything in url-with-params to be same-origin.

lbir ye,ea yer.tnietoehr  rdn rdsme,anea lurpr  edna e hnysnenh hhe uresyf
selthor  stor  edna  siewaoeodm  or v sstvr  esBa  kbvted,t
o l euetiuruewFa  kbn e hnystoivateweh uresyf tulsa rehr  rdm  or rnea
.a war hsrer holsa rodvted,t  nenh hneireseoouot.tniesiewaoeivatewt sstvr
Received on Tuesday, 15 September 2015 00:04:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:08:57 UTC