Ambiguities in fill:url() / stroke:url() syntax from Robert O'Callahan on 2012-10-24 (www-svg@w3.org from October 2012)

From: Robert O'Callahan <robert@ocallahan.org>
Date: Thu, 25 Oct 2012 11:10:24 +1300
To: www-svg <www-svg@w3.org>
Message-ID: <CAOp6jLbSKoWO8HVLkRBK45+w0cQhMYV40wZ3e_BaXhnq2yvVOA@mail.gmail.com>

Dirk Schulze mentioned that the SVG WG wants to allow 'fill' and 'stroke'
to accept both CSS image values and SVG paint-server values. This means
that "fill:url(abc.svg#ref)" could refer to either part of an SVG image
(via http://www.w3.org/TR/SVG/linking.html#SVGFragmentIdentifiers ), or to
a paint server. The user-agent would have to resolve the ambiguity by
loading the resource to determine whether the element with id 'ref' is a
valid paint server, and presumably treat it as a paint server if possible,
otherwise a link into an SVG image.

Unfortunately that would be a real pain to implement in Gecko, because our
code for loading SVG images is separate from our code for loading external
resource documents, and we need to know at the start of the load which path
to take. Also, we treat the loaded documents differently. We impose a
same-origin restriction on external resource document loads but not on SVG
image loads. SVG images are not allowed to refer to external resources for
security reasons, but external resource documents can. SVG image documents
can be shared between different users of the same SVG image (even from
different domains), but external resource documents are not. Etc.

The best implementation approach for us might be to try loading the URI as
an external resource document, and if that fails or the element turns out
not to be a paint server, try to load it as an SVG image instead. But that
seems slow, hacky and it could easily confuse authors.

AFAIK Webkit doesn't have this problem because it doesn't support
references to paint servers in external resource documents. I don't know
about other engines.

I'm also concerned that requiring SVG images and external resource
documents to be treated in a uniform way could blow up in our faces later
since both of those are extremely underspecified right now and have
security requirements that are not very well understood.

Rob
-- 
“You have heard that it was said, ‘Love your neighbor and hate your enemy.’
But I tell you, love your enemies and pray for those who persecute you,
that you may be children of your Father in heaven. ... If you love those
who love you, what reward will you get? Are not even the tax collectors
doing that? And if you greet only your own people, what are you doing more
than others?" [Matthew 5:43-47]

Received on Wednesday, 24 October 2012 22:10:52 UTC