W3C home > Mailing lists > Public > www-svg@w3.org > October 2010

Re: preventing SVG script from running

From: Robert O'Callahan <robert@ocallahan.org>
Date: Thu, 21 Oct 2010 12:36:54 +1300
Message-ID: <AANLkTikrTaq+1N5LWxo_ZASX3ZRYe5zZZX25SYncQ1RU@mail.gmail.com>
To: Jennifer Yu <Jennifer.Yu@microsoft.com>
Cc: "www-svg@w3.org" <www-svg@w3.org>
On Thu, Oct 21, 2010 at 11:59 AM, Jennifer Yu <Jennifer.Yu@microsoft.com>wrote:

> If I have a server that hosts SVG, is there any way to prevent another
> website from executing script embedded within the SVG on my server?
> The description of the HTML <img> tag allows a web author to prevent
> externally-hosted SVG from executing script. I did not, however, find
> mention of a way to prevent an external site from executing script within
> SVG hosted on my server. If I want to treat SVG like another image format
> and allow users to upload SVG images to my server, is there currently any
> way to prevent script inside the uploaded SVG from executing?

No. The Web doesn't really support this. For example, any site can embed an
<iframe> that loads a page from your site and runs script in it. We try to
prevent the outer document from poking the inner document (with mixed
success, see clickjacking).

"Now the Bereans were of more noble character than the Thessalonians, for
they received the message with great eagerness and examined the Scriptures
every day to see if what Paul said was true." [Acts 17:11]
Received on Wednesday, 20 October 2010 23:37:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:54:28 UTC