- From: Daniel Holbert <dholbert@mozilla.com>
- Date: Thu, 26 Mar 2015 20:01:09 -0700
- To: David Dailey <ddailey@zoominternet.net>
- Cc: 'Chris Lilley' <chris@w3.org>, 'Doug Schepers' <schepers@w3.org>, 'www-svg' <www-svg@w3.org>
On 03/26/2015 07:32 PM, David Dailey wrote: > Very interesting considerations. In fussing around with things at Wikipedia > and Ello, I stumbled into the "no external resources" rule, since I wanted > bitmaps inside an SVG, and found I had to use base64 encoding of said > bitmaps to make it happen. I realized, at the time, why external resources > would be a security/privacy risk to the audience, but wondered if a > same-domain exception might be applied. If a resource (like an image file) > came from the same domain, is there still a problem with that? As I think Doug suggested elsewhere in this thread, let's try to keep this thread focused on a single topic. (interactive animations in <img>, per the current subject-line). If you want to start a discussion about allowing same-domain external resources, please start a separate thread about that. Briefly, though, the reason there's no same-domain exception is: sites may have open redirectors, which means we don't really know that "same origin" URLs are actually "same origin". See https://lists.w3.org/Archives/Public/www-svg/2011May/0100.html and https://bugzilla.mozilla.org/show_bug.cgi?id=628747#c36 > but all that sniffing data would > stay under the ever careful and respectful auspices of the social network > wouldn't it? Not if the social network has an open redirector, per above. (like http://getpocket.com/redirect?url=http://example.com ) Anyway, if you have further thoughts on this, let's start a new thread.
Received on Friday, 27 March 2015 03:01:41 UTC