CSS filter property broken when SVG filter is on host other than document

RESOLVED INVALID

Status

()

Core
SVG
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: gabriel.kopley, Unassigned)

Tracking

18 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17

Steps to reproduce:

Site is www.example.com

Stylesheet contains

div {
  filter: url(/filters.svg#grayscale)
}

or

div {
  filter: url(http://assets.example.com/filters.svg#grayscale)
}

Stylesheet and filters.svg are hosted at assets.example.com


Actual results:

No request is made for filters.svg.


Expected results:

Filters.svg should be requested. (behavior of FF17 and Chrome)
Do you have a complete testcase that shows this?
Flags: needinfo?(gabriel.kopley)
Component: Untriaged → SVG
Product: Firefox → Core
> behavior of FF17 and Chrome

Last I checked we didn't fetch cross-domain external resource documents in Firefox 17, for security reasons.  So yes, please link to a testcase that shows the behavior you're dealing with?
(Reporter)

Comment 3

5 years ago
Whoops.  You're right Boris.  My mistake.

It seems like this came up a couple years ago in https://bugzilla.mozilla.org/show_bug.cgi?id=433616 .

Is there still no way to reference an SVG file across domains?

Here is my use case

http://static.coshx.com/firefox.html - same domain SVG works
http://www.coshx.com/firefox.html    - cross-domain SVG denied

Thanks.
Flags: needinfo?(gabriel.kopley)
No, it's a security risk. You could use filters to read the remote image contents.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
(Reporter)

Comment 5

5 years ago
Would you link to an explanation please?  The discussion in 433616 suggested that remote SVGs could be ok if scripts are not executed.
bug 433616 comment 42. Note that we do implement pointer-events now.
(Reporter)

Comment 7

5 years ago
Thanks!
You need to log in before you can comment on or make changes to this bug.