On 11/26/13 5:50 PM, Ian Hickson wrote:
But the image inside this image would also be loaded as basic fetch
tainted cross origin. Right?
That's up to SVG.
Note that Gecko has serious security concerns with allowing subresource
loads like this in SVG loaded via <img>; we currently disallow them
altogether due to those concerns. Such SVG documents can link to things
internal to themselves and to data: URIs, but not to anything requiring
network access.
SVG loaded via <object> is a different story, of course.
-Boris
