26114 – Add "local fetches only flag" for SVG/CSS

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 26114 - Add "local fetches only flag" for SVG/CSS

Summary: Add "local fetches only flag" for SVG/CSS

Status:	RESOLVED FIXED

Alias:	None

Product:	WHATWG
Classification:	Unclassified
Component:	Fetch (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	Unsorted
Assignee:	Anne
QA Contact:	sideshowbarker+fetchspec

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-06-17 09:24 UTC by Anne
Modified:	2015-01-28 13:57 UTC (History)
CC List:	6 users (show)

See Also:

Attachments

Description Anne 2014-06-17 09:24:40 UTC

It seems to address the case where an image/svg+xml does not want any networked resources to be fetched but does want to allow data and blob URLs to be fetched we could either special case those URL schemes in SVG/CSS or we could let Fetch handle the bookkeeping (in case new such URL schemes get added in the future, highly likely).

My proposal is to put in Fetch. Yay/nay appreciated.

Comment 1 Boris Zbarsky 2014-06-17 13:52:59 UTC

Special-casing in svg/css is a bit hard.  For example, an <svg:image> inside image/svg+xml should restrict to data: or blob:, right?

Gecko does this via its generic load security check mechanism right now, which examines the document and if it's an SVG-as-image imposes certain restrictions.  That would correspond to being part of fetch.

Comment 2 Anne 2014-06-17 13:57:04 UTC

image/svg+xml could also be loaded in a top-level browsing context and execute script.

But if we assume the SVG is loaded as image through <img> or background-image, then yes, the idea is that all the resources it (and its associated inline CSS) can fetch from there would be restricted through the "local fetches only flag".

I would also be okay with letting Mixed Content handle this somehow. I'm not sure if enough information is exposed for it to do so. Mike, what do you think?

Comment 3 Mike West 2014-06-17 14:07:55 UTC

I don't think this sounds like something mixed content checks should handle. I mean, we could define "local" inside Mixed Content, and give you a hook to determine whether a resource was "local", but it seems like the wrong place to determine what resources can load inside an SVG-as-image.

Putting it into Fetch sounds reasonable, or putting a hook into SVG that Fetch can call out to.

Comment 4 Mike West 2015-01-21 09:00:18 UTC

This came up in CSP as well.

I'd suggest putting a hook in either Fetch or URL to check whether a resource is "local". I don't have a strong preference as to which.

Maybe both? URL defines the set of schemes which are "local", and Fetch hooks that definition to determine whether SVG can fetch a particular URL?

Comment 5 Anne 2015-01-28 13:57:49 UTC

https://github.com/whatwg/url/commit/760ab651a4f11bbd1323cc207f187dad4b56fb32
https://github.com/whatwg/fetch/commit/c6123bda9ff855fa733ff3c702ced923f2b38c55

I went with "both". Hopefully CSS and SVG get updated at some point to actually define their network architecture.