Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable in-content SVG rendering #276

Merged
merged 1 commit into from
May 2, 2017
Merged

Disable in-content SVG rendering #276

merged 1 commit into from
May 2, 2017

Conversation

nodiscc
Copy link
Contributor

@nodiscc nodiscc commented Apr 28, 2017

Can be considered for relaxing #231

@nodiscc
Disable in-content SVG rendering
9ab7619 
Can be considered for relaxing #231
@nodiscc nodiscc mentioned this pull request May 2, 2017
Open
@pyllyukko pyllyukko merged commit c88dfc8 into pyllyukko:master May 2, 2017
@TriMoon
Copy link

TriMoon commented May 5, 2017
edited
Loading

Why would one want to do this??
The only reason i can think of is embedded javascript inside the SVG, but that can be blocked by other means eg Content-Policy and blocking addons like uMatrix.

AFAIK plain SVG is harmless.

@pyllyukko
Copy link
Owner

pyllyukko commented May 6, 2017
edited
Loading

There has been vulnerabilities in SVG parsing, so I wouldn't consider it as harmless. It's about reducing attack surface.

I do realize, that this might break bunch of stuff as was also noted here. And we might need to revisit this setting.

If you check Firefox security advisories, there's a whole bunch of SVG related vulnerabilities.

@TriMoon
Copy link

TriMoon commented May 6, 2017

Thanks i wasn't aware of that (fixed) exploit in svg... 👍

@nodiscc
Copy link
Contributor Author

nodiscc commented May 7, 2017

For reference there was at least one (fixed) severe security issue with SVG in Firefox: https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/ (Firefox SVG Animation Remote Code Execution - Firefox 50.0.2, ESR 45.5.1)

@pyllyukko pyllyukko mentioned this pull request May 27, 2017
Closed
@nodiscc nodiscc deleted the disable-svg branch February 21, 2018 17:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nodiscc @TriMoon @pyllyukko