Re: SVG <glyph> element spec

On Fri, Dec 21, 2012 at 7:47 AM, Tavmjong Bah <tavmjong@free.fr> wrote:

> On Thu, 2012-12-20 at 08:02 -0800, Dirk Schulze wrote:
> > On Dec 20, 2012, at 2:45 AM, "David Dailey" <ddailey@zoominternet.net>
> wrote:
> >
> > > The Adobe ASV viewer supports arbitrary content inside <glyph>. Please
> let me know if a proposal to drop support for colors and other non-path
> content inside <glyph> gains traction. Emoji contain color as a semantic
> aspect of Unicode defininitions of characters, and as those who saw our
> presentation in Boston about geometric accessibility, accessibility to
> special textual affects is permanently impaired if SVG is crippled in this
> way.
> > >
> > > It will be a good opportunity for me to learn to file formal
> objections through the W3C process, and I will be certain to do so!
> >
> > Is there a recording of the presentation? Or do you have a link to the
> documentation? This sounds like you are addressing pure visual aspects of
> styling.
> >
> > For WebKit we decided not to support arbitrary shapes because of
> different security considerations.
>
> I am curious to know what security consideration there would be to
> arbitrary shapes as compared to paths.
>
> Tav


It's not shapes that are a problem, it's arbitrary content. For example,
SVGImage or foreign object are allowed by the spec as written, and those
may link to external resources. Same, to a lesser extent, for <use>
elements or anything with a href. Loading external resources has security
implications, particularly when fonts themselves are frequently external
resources.

Stephen.

Received on Friday, 21 December 2012 13:04:32 UTC