Re: minutes, SVG F2F Pymont, Sydney day 5 (08/02/2013)

On Feb 8, 2013, at 8:30 PM, Robert O'Callahan <robert@ocallahan.org> wrote:

> On Sat, Feb 9, 2013 at 1:36 PM, Rik Cabanier <cabanier@gmail.com> wrote:
> On Sat, Feb 9, 2013 at 10:05 AM, Robert O'Callahan <robert@ocallahan.org> wrote:
> A SVG glyphs document is always parsed as XML so the HTML parser never gets called. Script is disabled not by modifying the parser or DOM, but by just not running script --- this is already specced out.
> 
> There's no resizing of the SVG glyphs document or any of its contents, except for stuff triggered by animation.
> 
> Can the viewbox change the size of the foreignobject?
> What the point size affect?
> 
> The viewbox does not change. The font size scales the glyph content.
> 
>  
>  
> Also, my fear is that people will abuse it and just make HTML characters.
> 
> I can't imagine why anyone would want to do that, and it wouldn't be that bad if they did.
> 
> I'm unsure. It seems that security issues might pop up. Since it's a font that will be loaded by the OS, we should be extremely vigilant.
> 
> OS support for SVG fonts would introduce no new issues over OS support for SVG images, AFAIK.
> 
> Another drawback is that the spec says that user agents are not required to render foreignobject (ie Internet explorer doesn't). 
> 
> That's a problem with <foreignObject> independent of where it's used.

At WebKit, we decided that we could not predict possible security issues with allowing arbitrary content on glyphs at the time of implementing SVG Fonts. Even if it looks like we have a somehow trustable security concept, it sounds like an unnecessary risk. In general I would like to limit the graphical elements to basic shapes. I am not even sure if <text> would make a lot of sense on a glyph, but it might be ok. It would require a font, which most likely is an external resource so.

Greetings,
Dirk



> 
> Rob
> -- 
> Wrfhf pnyyrq gurz gbtrgure naq fnvq, “Lbh xabj gung gur ehyref bs gur Tragvyrf ybeq vg bire gurz, naq gurve uvtu bssvpvnyf rkrepvfr nhgubevgl bire gurz. Abg fb jvgu lbh. Vafgrnq, jubrire jnagf gb orpbzr terng nzbat lbh zhfg or lbhe freinag, naq jubrire jnagf gb or svefg zhfg or lbhe fynir — whfg nf gur Fba bs Zna qvq abg pbzr gb or freirq, ohg gb freir, naq gb tvir uvf yvsr nf n enafbz sbe znal.” [Znggurj 20:25-28]

Received on Saturday, 9 February 2013 20:17:07 UTC