On Tue, 26 Nov 2013, Boris Zbarsky wrote:
> On 11/26/13 5:50 PM, Ian Hickson wrote:
> > > But the image inside this image would also be loaded as basic fetch
> > > tainted cross origin. Right?
> >
> > That's up to SVG.
>
> Note that Gecko has serious security concerns with allowing subresource
The document “SVG Integration Module Level 1” [1] is going to define the
specifics of fetching in SVG. I hope to find the time to add actual content in
January and would be happy for reviews after that.
Greetings,
Dirk
[1]
https://dvcs.w3.org/hg/svg2/raw-file/7a902f4a33f6/specs/integration/Ove
On 11/27/13 9:08 AM, Anne van Kesteren wrote:
It seems weird to say "Gecko has serious security concerns". Either
there's a factual security issue or not, right?
In theory, yes.
In practice, opinions seem to differ, not least because one person's
security/privacy issue is another's business m
On Wed, Nov 27, 2013 at 1:13 AM, Boris Zbarsky wrote:
> Note that Gecko has serious security concerns with allowing subresource
> loads like this in SVG loaded via ; we currently disallow them
> altogether due to those concerns. Such SVG documents can link to things
> internal to themselves and t
On 11/26/13 5:50 PM, Ian Hickson wrote:
But the image inside this image would also be loaded as basic fetch
tainted cross origin. Right?
That's up to SVG.
Note that Gecko has serious security concerns with allowing subresource
loads like this in SVG loaded via ; we currently disallow them
a
On Fri, 13 Sep 2013, Dirk Schulze wrote:
>
> If I understand HTML fetching and the fetch spec right. The
> default behavior on image fetching is No CORS with the mode tainted
> cross-origin.
>
> For the example:
>
> and image.svg:
>
>
> http://otherdomain.com/image.svg";>
>
>
> In
On Fri, Sep 13, 2013 at 10:52 AM, Dirk Schulze wrote:
> If Fetch is not just fetching external (as not in the current document) then
> we still need it for SVG. References within the same document must still work.
Fragment identifiers are to be handled by SVG. Again, your "SVG fetch"
wrapper cou
On Sep 13, 2013, at 10:43 AM, Anne van Kesteren wrote:
> On Fri, Sep 13, 2013 at 9:27 AM, Dirk Schulze wrote:
>> So, I wonder how that behavior could be described.
>
> I think you'd have a mode switch and maybe a wrapper for Fetch that
> only calls it for data and blob URLs. It seems like you
On Fri, Sep 13, 2013 at 9:27 AM, Dirk Schulze wrote:
> So, I wonder how that behavior could be described.
I think you'd have a mode switch and maybe a wrapper for Fetch that
only calls it for data and blob URLs. It seems like you don't really
want to invoke Fetch at all for SVG as image. Do scrip
Hi,
If I understand HTML fetching and the fetch spec right. The default
behavior on image fetching is No CORS with the mode tainted cross-origin.
For the example:
and image.svg:
http://otherdomain.com/image.svg";>
In this case the image.svg would be fetched with basic fetch and ta
10 matches
Mail list logo
