"Security restrictions" when linking to an external style sheet from SVG (when pasted as an image)

Question

"Security restrictions" when linking to an external style sheet from SVG (when pasted as an image)

Accordingly, answer "for security reasons, images should be offline files." That is, when you include an SVG file using the img tag, it cannot refer to any external style sheets.

I think I ran into the same problem when trying to include SVG as background images using CSS. SVGs link to other SVG files and display them perfectly when viewed directly in Firefox, but do not display related content when included as CSS background image.

What are these “security considerations” and where can I learn more about them?

+5

html css svg

FixMaker Sep 26

source share

1 answer

Robert Longson · Accepted Answer · 2012-09-26 14:41

Consider a hypothetical forum that allows SVG images as avatars. If external resources were allowed, the trick / malicious user could download an SVG file containing <image xlink:href="http://evilhacker.com/myimage.png"> and (provided that they control evilhacker.com), they can do everything and all of the following:

receive ping in your own domain when someone is a profile (& log ip-address of the person viewing it).
potentially can be a different type of avatar for different people, their IP address, request headers, etc.
potentially change the look of your avatar during (i.e. wait for forum administrators to approve it, and then change its NSFW)

See this Mozilla bug and SVG integration specification for more details.

"Security restrictions" when linking to an external style sheet from SVG (when pasted as an image)

More articles: