[wp-meta] [Making WordPress.org] #1616: Remote CSS: Allow data URIs in CSS properties
Making WordPress.org
noreply at wordpress.org
Wed Mar 9 23:04:02 UTC 2016
#1616: Remote CSS: Allow data URIs in CSS properties
--------------------------+-----------------------
Reporter: ryelle | Owner: iandunn
Type: defect | Status: accepted
Priority: normal | Milestone:
Component: wordcamp.org | Resolution:
Keywords: has-patch |
--------------------------+-----------------------
Comment (by iandunn):
I haven't found anything definitive yet either.
I suspect that all modern browser engines will treat `background-image`
SVGs the same way Gecko does, but there are so many esoteric SVG
exploits^1^ that it's really hard to be confident in anything. Even if
JavaScript is disabled, there may still be XML attacks, etc.
I think we need some more research before this can be committed.
In the mean time, it looks like you're hosting the SVGs on an external
domain, so that the cross-domain policy offers some protection. Ideally we
want all resources hosted on wordcamp.org for longevity, but hosting them
externally sounds like a good compromise until this is sorted out.
[[br]]
![1] - For example, check out section 3.3 of
[https://www.ei.rub.de/media/hgi/veroeffentlichungen/2011/10/19
/svgSecurity-ccs11.pdf Crouching Tiger -- Hidden Payload], where `data:`
URIs are used in ''inline'' SVGs to nest malicious SVGs via the `feImage`
tag.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/1616#comment:4>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list