This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
It seems to address the case where an image/svg+xml does not want any networked resources to be fetched but does want to allow data and blob URLs to be fetched we could either special case those URL schemes in SVG/CSS or we could let Fetch handle the bookkeeping (in case new such URL schemes get added in the future, highly likely). My proposal is to put in Fetch. Yay/nay appreciated.
Special-casing in svg/css is a bit hard. For example, an <svg:image> inside image/svg+xml should restrict to data: or blob:, right? Gecko does this via its generic load security check mechanism right now, which examines the document and if it's an SVG-as-image imposes certain restrictions. That would correspond to being part of fetch.
image/svg+xml could also be loaded in a top-level browsing context and execute script. But if we assume the SVG is loaded as image through <img> or background-image, then yes, the idea is that all the resources it (and its associated inline CSS) can fetch from there would be restricted through the "local fetches only flag". I would also be okay with letting Mixed Content handle this somehow. I'm not sure if enough information is exposed for it to do so. Mike, what do you think?
I don't think this sounds like something mixed content checks should handle. I mean, we could define "local" inside Mixed Content, and give you a hook to determine whether a resource was "local", but it seems like the wrong place to determine what resources can load inside an SVG-as-image. Putting it into Fetch sounds reasonable, or putting a hook into SVG that Fetch can call out to.
This came up in CSP as well. I'd suggest putting a hook in either Fetch or URL to check whether a resource is "local". I don't have a strong preference as to which. Maybe both? URL defines the set of schemes which are "local", and Fetch hooks that definition to determine whether SVG can fetch a particular URL?
https://github.com/whatwg/url/commit/760ab651a4f11bbd1323cc207f187dad4b56fb32 https://github.com/whatwg/fetch/commit/c6123bda9ff855fa733ff3c702ced923f2b38c55 I went with "both". Hopefully CSS and SVG get updated at some point to actually define their network architecture.