Re: Loading svg from memory using custom filename for base

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Loading svg from memory using custom filename for base_uri

From:	Vasilij Schneidermann
Subject:	Re: Loading svg from memory using custom filename for base_uri
Date:	Thu, 3 Dec 2020 17:56:56 +0100

> I'm also wondering whether this is something that would be useful when
> loading from a file and not just data? It might be considered a
> security risk, I suppose?

The examples in <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=19373>
show files relying on a correctly set base-uri to work. There might be a
security risk if images are included that shouldn't be. Browsers
typically rely on Same-Origin Policy to shield off that risk (for
example a file:/// URL may only include other file:/// URLs), but it's a
heavy-handed solution and requires extra care to avoid bypasses.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Loading svg from memory using custom filename for base_uri, (continued)
- Re: Loading svg from memory using custom filename for base_uri, Vasilij Schneidermann, 2020/12/03

Prev by Date: Re: Loading svg from memory using custom filename for base_uri
Next by Date: Re: Make regexp handling more regular
Previous by thread: Re: Loading svg from memory using custom filename for base_uri
Next by thread: Re: Loading svg from memory using custom filename for base_uri
Index(es):
- Date
- Thread