SVG-as-image should be specified normatively in the Referencing Modes section of the SVG Integration spec. This page provides background on SVG-as-image and a place to discuss it informally.
"SVG loaded as an image" or "SVG-as-image" refers to a particular way of handling SVG files, where the SVG files are loaded with restrictions that allow website administrators to treat them equivalently to GIFs, PNGs, JPEGs and images in other raster formats. Restrictions that a user-agent must impose when loading SVG as an image include:
- disabling of script (including event attributes)
- disabling the loading of resources not on the same domain
- disabling the dispatch of UI events
- disabling of event-triggered animation (is this necessary with UI events disabled?)
SVG-as-image loading must be used when SVG files are loaded using the HTML <img> element, the CSS 'background-image' property, or any other means of loading a resource that is intended to be used for the loading of image resources only.
Same domain restriction
When SVG is loaded as an image it is critical that it not be allowed to make requests to load resources from other domains. Failing to impose this restriction would, for example, allow SVG images uploaded by a user to a forums to:
- receive a ping at their own domain whenever anyone viewed the image, and obtain the IP address of the person viewing it (with a bit of social engineering a viewer and IP address could be linked)
- serve different images to different people based on their IP address, geoIP lookup, request-headers, etc.
- change the appearance of their image at-will (i.e. wait for forum-admins to approve it, then change it)
Not imposing the same-domain restriction is not safe, and breaks the normal assumptions that website administrators can make when accepting files from users for use as images. In fact it's questionable if SVG loaded as an image should be allowed to load external resources at all.
When imposing the same-domain restriction implementers need to keep open redirectors in mind, and make sure that their implementation can never make cross-domain requests due to an SVG file using an open redirector on the same domain.