[Webkit-unassigned] [Bug 15443] SVGImage does not support sub-resource loading

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 11 10:33:39 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=15443


Philip Rogers <pdr at google.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pdr at google.com




--- Comment #26 from Philip Rogers <pdr at google.com>  2014-07-11 10:33:52 PST ---
(In reply to comment #25)
> (In reply to comment #24)
> > SVGImages should never load sub resources. This is part of the security strategy.
> 
> This is bollocks.
> 
> An HTML page can load css, and so should an SVG. There is no more security concern on loading css from a, SVG than there is from loading one from HTML.
> 
> On top of that, it breaks (or not-fully-implements) the standard.
> 
> On top of that, IE11 applies external stylesheets just fine. Do you want Microsoft to be better?
> 
> On top of that, this makes having multiple SVG assets with a single stylesheet impossible. We'll have to write a Grunt script of sorts to embed a stylesheet generated from SASS into the corresponding SVG files. This is an absolutely horrible workaround that increases bandwidth usage and takes up valuable time.
> 
> On top of that yet again, if there is some sort of security concern. Fix that. Don't remove a feature because one tinywiny part of it might possible have a chance of doing something naughty.

Unfortunately the security vulnerabilities are serious and have been exploited in the wild. The web just wasn't designed to have images make subresource requests :/

This is being canonicalized in a spec, see: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26114 (and related bugs). If you would like to discuss the merits of this, please follow up with Anne. Microsoft has shown interest in this, and all other browsers block external resources. I think it is unlikely external requests will be made from SVG images in IE12.

Baking your assets into one file can improve the user experience in some cases since the number of round trips is reduced. Cacheability can be reduced though.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list