[Webkit-unassigned] [Bug 15443] SVGImage does not support sub-resource loading
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 14 01:24:01 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=15443
--- Comment #27 from Martijn <martijn+webkitbugzilla at thany.nl> 2014-07-14 01:24:15 PST ---
> Unfortunately the security vulnerabilities are serious and have been exploited in the wild. The web just wasn't designed to have images make subresource requests :/
Neh, I'm not convinced that simply disabling said feature is the solution. It's a horrible workaround, and it's doing the SVG standard and Chromium's image not much good.
If there's a security concern, it should be fixed, not disabled. If regular CSS poses a security concern, we're not disabling it either.
> This is being canonicalized in a spec, see: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26114 (and related bugs). If you would like to discuss the merits of this, please follow up with Anne. Microsoft has shown interest in this, and all other browsers block external resources. I think it is unlikely external requests will be made from SVG images in IE12.
That's highly unlikely. Microsoft tends to bring out security updates to their browser fairly timely, so if it's still in IE11 (which it is), I suspect it will be in IE12 as well. And for good reason - it's a great feature.
> Baking your assets into one file can improve the user experience in some cases since the number of round trips is reduced. Cacheability can be reduced though.
I'm aware of that, and making my choices as appropriate.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list