On 11/27/13 9:08 AM, Anne van Kesteren wrote:
It seems weird to say "Gecko has serious security concerns". Either
there's a factual security issue or not, right?
In theory, yes.
In practice, opinions seem to differ, not least because one person's
security/privacy issue is another's business model.
In this particular case, last I checked, other UAs are more permissive
than Gecko, and seem to not care about the issue we care about in this
situation.
And as far as I can tell the issue is that if someone allows uploading SVG
images, people
could include tracker images in those SVG images.
That's correct.
And therefore the SVG specification should simply outlaw that.
I'm all for that, obviously. ;)
Note that even then those SVG images cannot be hosted same-origin unless you
run them through
some kind of whitelist-based filter.
Indeed.
-Boris
