[wp-meta] [Making WordPress.org] #1616: Remote CSS: Allow data URIs in CSS properties

Making WordPress.org noreply at wordpress.org
Wed Mar 9 23:04:02 UTC 2016


#1616: Remote CSS: Allow data URIs in CSS properties
--------------------------+-----------------------
 Reporter:  ryelle        |       Owner:  iandunn
     Type:  defect        |      Status:  accepted
 Priority:  normal        |   Milestone:
Component:  wordcamp.org  |  Resolution:
 Keywords:  has-patch     |
--------------------------+-----------------------

Comment (by iandunn):

 I haven't found anything definitive yet either.

 I suspect that all modern browser engines will treat `background-image`
 SVGs the same way Gecko does, but there are so many esoteric SVG
 exploits^1^ that it's really hard to be confident in anything. Even if
 JavaScript is disabled, there may still be XML attacks, etc.

 I think we need some more research before this can be committed.

 In the mean time, it looks like you're hosting the SVGs on an external
 domain, so that the cross-domain policy offers some protection. Ideally we
 want all resources hosted on wordcamp.org for longevity, but hosting them
 externally sounds like a good compromise until this is sorted out.

 [[br]]
 ![1] - For example, check out section 3.3 of
 [https://www.ei.rub.de/media/hgi/veroeffentlichungen/2011/10/19
 /svgSecurity-ccs11.pdf Crouching Tiger -- Hidden Payload], where `data:`
 URIs are used in ''inline'' SVGs to nest malicious SVGs via the `feImage`
 tag.

--
Ticket URL: <https://meta.trac.wordpress.org/ticket/1616#comment:4>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org


More information about the wp-meta mailing list