-
Notifications
You must be signed in to change notification settings - Fork 641
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[svg] Is there any way we could allow SVGs to link to other files? #10481
Comments
Related: #8634 |
Beside B/W compat (authors may rely on the lack of 3rd party loading to get different behaviors in different contexts), I can't see why the iframe model couldn't be used for loading SVGs as |
This is why I always use <object> for SVG (except in the rare case where there is no text and no styling). But that brings in other problems. |
Is this a theoretical point or are you aware of such cases? Anyhow, we can do compat analysis to see if that’s the case.
This does not work for using SVGs via CSS, and there are no attributes in that case. (presumably you mean |
I believe it's a privacy issue. Consider a forum or blog that allows commenters to use |
Yeah, SVG-as-img being locked down is indeed an important security consideration that can't be relaxed by default. It has to be some affirmative choice going forward, like an attribute or something that is added in the referencing markup. |
@tabatkins (cc @LeaVerou), I believe it could be beneficial to introduce a generic attribute to support both this behavior and that described in #8634, as well as any relevant features introduced in the future. In #8634, I proposed an affirmative attribute as well. One potential solution could be an I don't mean to "muddy the waters" between these two issues, but using a generic attribute like |
Maybe just limit the use of third-party, unsafe inserts in and then you won't have to worry about someone embedding unsafe code into the image? |
@zcorpan If a static image is hotlinked, it can absolutely phone home, since it can be server-generated and the URL rewritten to look like a regular static image. Though I see your point: if SVGs could phone home, disallowing hotlinking would not be enough. But then it sounds like same-origin URLs should be fine? @tabatkins What is insecure about SVGs being able to link to same origin URLs? We can introduce an opt-in mechanism for cross-origin requests. @brandonmcconnell Whatever we come up with should work in CSS too, which is the biggest pain point (for HTML one can always use @BlackStar1991 Nobody is talking about clicking hyperlinks. I doubt that’s even possible with the current image rendering pipeline. This is about linking to resources like fonts, CSS files, or other SVGs. |
That argues for a finer-grained access model. The current "make sure SVG is painful or inefficient" is not really helping. |
It isn't. SVG in |
There are other use cases that this proposal still won't cater for, like referencing elements from that SVG, or manipulating with JS. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Isn’t that what |
Yes, but it's inserted into a shadow tree, so it's a bit limited. Maybe we could reuse this concept in a more modern fashion that could answer the |
@ydaniv Like how? |
Well, ideally I'd like a way to have the same power of having an inline SVG, perhaps with opt-in/out of layers of encapsuation (from seamless inline, through
|
One of the biggest SVG pain points is around how locked down SVGs used in
<img>
or CSS background images are. My (potentially incorrect) understanding is that it was easier to do that at the time than properly investigate what the boundary is between addressing use cases while protecting end-users, and there was no interest from UAs to invest in that research. There was some activity recently around fixing longstanding SVG pain points, and potentially some renewed interest from UAs, so it may be an opportune point to revisit this.Currently, SVGs used in
<img>
or CSS are severely crippled:<use>
so simple variations (e.g. a monochrome version of a logo or a + modifier on an icon) need to duplicate the entire graphic.Could security folks explain the security risks involved so we could come up with a better solution than the current blanket ban on referencing (non-local) URLs? I’m really struggling to see what security risk importing a same-origin URL involves, especially when it’s one that’s already imported by the current document, but I’m not a security expert so I could be missing something.
Perhaps the issue is not around security but around loading behavior? If so, there are ways to address this (and if JS could do top-level await, we can certainly do this).
The text was updated successfully, but these errors were encountered: