[Webkit-unassigned] [Bug 15443] SVGImage does not support sub-resource loading
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 14 18:56:09 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=15443
--- Comment #28 from Philip Rogers <pdr at google.com> 2014-07-14 18:56:23 PST ---
(In reply to comment #27)
Martijn,
To summarize this thread, sites expect images to be self-contained and iframe/object/embed to allow subresources. The change to disallow subresources in svg images is just enforcing the expectations authors have around images. The security concern here is, in part, due to how websites expect images to work. You may respond that it's the web authors who are wrong, but we should take that discussion to a vendor-neutral spec process.
You clearly care about this issue and I agree with you that there's more we can do. I suspect there is a path forward for allowing sites to opt-in to svg image subresources, for example. I encourage you to pursue this through the spec process via the w3 bug I linked to earlier. If you have ideas on how to safely allow subresources to be loaded from images, please share that with the spec that's being written right now.
I'm not sure what your specific usecase looks like, but it may be possible for you to include your svg content via <object> or <embed> instead of <img> so that subresources are allowed.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list