SVG-as-an-image should be able to load data: URIs

RESOLVED DUPLICATE of bug 628747

Status

()

Core
SVG
RESOLVED DUPLICATE of bug 628747
7 years ago
7 years ago

People

(Reporter: dholbert, Assigned: dholbert)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 obsolete attachment)

(Assignee)

Description

7 years ago
I think my checkin for Bug 628747 was slightly too large of a hammer -- it disables loads from data:URIs, too (e.g. <image xlink:href="data:image/png,etc/>), which don't suffer from the data leakage problem outlined in bug 628747 comment 0.

data URIs also provide a way for authors to cope with bug 628747, to embed external resources (e.g. raster images) directly for legitimate (non-malicious) uses.

bz suggests checking for URI_IS_LOCAL_RESOURCE -- that looks like it's what we want.  I'm writing some more comprehensive tests at the moment, and then will post a patch.
(Assignee)

Comment 1

7 years ago
Created attachment 507680 [details] [diff] [review]
patch 1 (back out bug 628747)
(Assignee)

Comment 2

7 years ago
Actually, rather than fixing this separately, I'm going to just back out bug 628747 and post/land a better fix there.
No longer blocks: 628747
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 628747
(Assignee)

Updated

7 years ago
Attachment #507680 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.