From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Vasilij Schneidermann <mail@vasilij.de>
Newsgroups: gmane.emacs.devel
Subject: Re: Loading svg from memory using custom filename for base_uri
Date: Thu, 3 Dec 2020 17:56:56 +0100
Message-ID: <20201203165656.GE1196@odonien.localdomain>
References: <X8kPd+AWBMQ/07HJ@breton.holly.idiocy.org>
 <9684BD96-2E4E-45E1-92CC-69306A7C3205@gmail.com>
 <X8kSohBd9P6xOYJV@breton.holly.idiocy.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="SnV5plBeK2Ge1I9g"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="34917"; mail-complaints-to="usenet@ciao.gmane.io"
To: Alan Third <alan@idiocy.org>, lg.zevlg@gmail.com,
 Eli Zaretskii <eliz@gnu.org>, emacs-devel <emacs-devel@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Dec 03 18:07:46 2020
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1kks53-0008xb-Pn
	for ged-emacs-devel@m.gmane-mx.org; Thu, 03 Dec 2020 18:07:45 +0100
Original-Received: from localhost ([::1]:51814 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1kks52-0006xQ-S1
	for ged-emacs-devel@m.gmane-mx.org; Thu, 03 Dec 2020 12:07:44 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:47940)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mail@vasilij.de>) id 1kkruq-0005kG-9M
 for emacs-devel@gnu.org; Thu, 03 Dec 2020 11:57:12 -0500
Original-Received: from mout-p-101.mailbox.org ([80.241.56.151]:32892)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
 (Exim 4.90_1) (envelope-from <mail@vasilij.de>)
 id 1kkrul-000240-HZ; Thu, 03 Dec 2020 11:57:11 -0500
Original-Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4Cn27M3NVgzQlLl;
 Thu,  3 Dec 2020 17:57:03 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Original-Received: from smtp1.mailbox.org ([80.241.60.240])
 by spamfilter02.heinlein-hosting.de (spamfilter02.heinlein-hosting.de
 [80.241.56.116]) (amavisd-new, port 10030)
 with ESMTP id zmL5gad1ZrlH; Thu,  3 Dec 2020 17:56:57 +0100 (CET)
Mail-Followup-To: Alan Third <alan@idiocy.org>, lg.zevlg@gmail.com,
 Eli Zaretskii <eliz@gnu.org>, emacs-devel <emacs-devel@gnu.org>
Content-Disposition: inline
In-Reply-To: <X8kSohBd9P6xOYJV@breton.holly.idiocy.org>
X-Rspamd-Score: -6.37 / 15.00 / 15.00
X-Rspamd-Queue-Id: 325EE91E
X-Rspamd-UID: 4828e6
Received-SPF: pass client-ip=80.241.56.151; envelope-from=mail@vasilij.de;
 helo=mout-p-101.mailbox.org
X-Spam_score_int: -25
X-Spam_score: -2.6
X-Spam_bar: --
X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7,
 RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:260231
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/260231>


--SnV5plBeK2Ge1I9g
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

> I'm also wondering whether this is something that would be useful when
> loading from a file and not just data? It might be considered a
> security risk, I suppose?

The examples in <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=19373>
show files relying on a correctly set base-uri to work. There might be a
security risk if images are included that shouldn't be. Browsers
typically rely on Same-Origin Policy to shield off that risk (for
example a file:/// URL may only include other file:/// URLs), but it's a
heavy-handed solution and requires extra care to avoid bypasses.

--SnV5plBeK2Ge1I9g
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEE0dAcySl3bqM8O17WFmfJg6zCifoFAl/JGNgACgkQFmfJg6zC
ifoeDQgAuPOXUEaXT5/PUK/XNXGmIooJfIHbqtZdYQVJZ5msM7X0+PlAYzpgIXlY
4no49HBf6aBIvDJQNsBJod3nHS5u0S1KUqW5/n4WlkTSmIqPpDG2JOj1Mc4atbUJ
3or5IYgpWmMz6vRUkC/ydD01Zy5KEnYHjKW7EPuRAFJ1pvbQSe510L4QXZ3GHgSS
uvyOLfvN8ont4eJ5XhEl3PkycQraZEGrmm13F11HPTwFKmgP3nBs/ZG+Zs4aSxOh
4NGDKM8CiWA9G+y+4fc69BioRA6K2+EYbQS4S+0gvPjObT0bmHuc58FpdpoSgqWJ
xhWzoCh7obrvz6k7w/8+xNTyO1ZoQA==
=UjTi
-----END PGP SIGNATURE-----

--SnV5plBeK2Ge1I9g--