I think my checkin for Bug 628747 was slightly too large of a hammer -- it disables loads from data:URIs, too (e.g. <image xlink:href="data:image/png,etc/>), which don't suffer from the data leakage problem outlined in bug 628747 comment 0. data URIs also provide a way for authors to cope with bug 628747, to embed external resources (e.g. raster images) directly for legitimate (non-malicious) uses. bz suggests checking for URI_IS_LOCAL_RESOURCE -- that looks like it's what we want. I'm writing some more comprehensive tests at the moment, and then will post a patch.
Actually, rather than fixing this separately, I'm going to just back out bug 628747 and post/land a better fix there.
No longer blocks: 628747
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 628747
Attachment #507680 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.