[svg2] Use CORS-enabled fetch for the structurally external elements from Erik Dahlström on 2015-03-31 (www-svg@w3.org from March 2015)

From: Erik Dahlström <ed@opera.com>
Date: Tue, 31 Mar 2015 14:03:29 +0200
To: "www-svg@w3.org" <www-svg@w3.org>
Message-ID: <op.xwc2f32gdhsuf5@gnorps>

Hello,

I'd like to suggest that we allow CORS[1] in svg, by adding 'crossorigin'  
attributes to the svg elements that can reference external resources,  
specifically the <image>, <use> and <script> elements. Being able to use  
CORS in svg was requested here[2].

The 'embedded content' elements <audio>, <video> and <iframe> all have  
such attributes already.

For <script> and <image> this would align better with html. As a note,  
since Blink shares the internal implementation of script and image loaders  
the 'crossorigin' attribute is already supported on <svg:script> and  
<svg:image>.

For <use> all the browsers I tested blocked the crossorigin requests. For  
that reason it might be reasonable to use the 'No CORS' mode as the  
default for <use>. That means that you have to both have a 'crossorigin'  
attribute with a value such that the mode isn't resolved to 'No CORS', as  
well as get an ok from the server that serves the referenced content (via  
an "Access-Control-Allow-Origin" http header), to successfully fetch the  
crossorigin content.

For <foreignObject>, which is listed as a 'structurally external element'  
but which currently lacks an xlink:href attribute to match that, I suggest  
that we don't add xlink:href to <foreignObject>, but if we do, that we use  
the 'No CORS' mode as default.

Proposal:

* For <script>, let 'crossorigin' be a 'CORS settings attribute'[3] with  
the same effect as for <html:script>
* For <image>, let 'crossorigin' be a 'CORS settings attribute'[3] with  
the same effect as for <html:img>
* For <use>, let 'crossorigin' be a 'CORS settings attribute'[3] and let  
CORS mode be 'No CORS'
* For <foreignObject>, add an issue to the spec regarding this, and don't  
add the 'crossorigin' attribute there yet

Thoughts?


[1] https://www.w3.org/TR/cors/
[2] https://code.google.com/p/chromium/issues/detail?id=470601
[3]  
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attribute

-- 
Erik Dahlstrom, Web Technology Developer, Opera Software
Co-Chair, W3C SVG Working Group

Received on Tuesday, 31 March 2015 12:04:06 UTC