“安全限制”当从SVG链接到外部样式表时（作为图像嵌入时） [英] "Security restrictions" when linking to external stylesheet from SVG (when embedded as an image)

问题描述

根据此回答出于安全原因，图片必须是独立文件。也就是说，当使用 img 标签包含SVG文件时，它不能引用任何外部样式表。

我想在使用CSS包含SVG作为背景图像时遇到了同样的问题。 SVG链接到其他SVG文件，在直接在Firefox中查看它们时显示得很好，但在作为CSS背景图像包含时无法显示链接内容。

这些是什么'安全原因'，以及我可以在哪里找到更多关于它们的信息？ 解析方案

考虑一个假设的论坛，允许SVG图像作为头像。如果允许外部资源，欺骗者/恶意用户可以上传包含
< image xlink：href =http://evilhacker.com/myimage.png>的SVG文件 / code>
和（假设他们控制evilhacker.com），他们可以做任何&所有以下内容：



• 每当有人查看其
  配置文件（& log ip address ）
  
• 潜在地为不同的人提供基于
  的不同人物形象的他们的IP地址，请求头等。


• 可能会随意改变其头像的外观（即等待
  让论坛管理员批准它，然后将其更改为
  NSFW）
  

请参阅此Mozilla错误 a>和 SVG集成规范以获取更多详细信息。

According to this answer "for security reasons images must be standalone files". That is, when including a SVG file using an img tag it cannot reference any external stylesheets.

I think I've run into the same issue when trying to include SVGs as background images using CSS. The SVGs link to other SVG files and display fine when viewing them in Firefox directly, but fail to show the linked content when included as a CSS background image.

What are these 'security reasons' and where can I find out more information about them?

解决方案

Consider a hypothetical forum that allows SVG images as avatars. If external resources were allowed a trickster/malicious user could upload an SVG file that contains <image xlink:href="http://evilhacker.com/myimage.png"> and (assuming they control evilhacker.com), they could do any & all of the following:

• receive a ping at their own domain whenever anyone views their profile (& log the ip address of the person viewing it)
• potentially serve different-looking avatar to different people based their IP address, request-headers, etc.
• potentially change the appearance of their avatar at-will (i.e. wait for forum-admins to approve it thumbs-up, and then change it to be NSFW)

See this Mozilla bug and the SVG integration specification for more details.

这篇关于“安全限制”当从SVG链接到外部样式表时（作为图像嵌入时）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！