Re: SVG <glyph> element spec from Jeremie Patonnier on 2012-12-21 (www-svg@w3.org from December 2012)

From: Jeremie Patonnier <jeremie.patonnier@gmail.com>
Date: Fri, 21 Dec 2012 14:16:29 +0100
To: Tavmjong Bah <tavmjong@free.fr>
Cc: Dirk Schulze <dschulze@adobe.com>, David Dailey <ddailey@zoominternet.net>, Erik Dahlstrom <ed@opera.com>, "www-svg@w3.org" <www-svg@w3.org>
Message-ID: <CAEi838nMXL54G_7uE_dfZrwBcS4KJYTkn-dOZw+ssEwFqFE2og@mail.gmail.com>

Hi,

2012/12/21 Tavmjong Bah <tavmjong@free.fr>

> On Thu, 2012-12-20 at 08:02 -0800, Dirk Schulze wrote:
> > For WebKit we decided not to support arbitrary shapes because of
> different security considerations.
>
> I am curious to know what security consideration there would be to
> arbitrary shapes as compared to paths.
>
> Tav

I guess it should be the usual : <script> and <foreignObject> (that could
be explicitly forbidden) and all external ressources load through
xlink:href attributes (which can be forbidden as well or restrict through
the same origin policy). I think it's maybe what's missing in the spec.

Best
-- 
Jeremie
.............................
Web : http://jeremie.patonnier.net
Twitter : @JeremiePat <http://twitter.com/JeremiePat>

Received on Friday, 21 December 2012 13:18:12 UTC