Block SVG external references in the Chromium port
Created attachment 171165 [details] Patch
I expect that this will cause some tests to fail. I haven't tested locally.
Comment on attachment 171165 [details] Patch r=me
Comment on attachment 171165 [details] Patch I would have phrased this the other way, and made the define = 0 in Platform.h. Or just turned it off for everyone if we're really concerned.
Sorry, I would have re-phrased the ENABLE in the positive as well. ENABLE_SVG_EXTERNAL_RESOURCES. The naming doesn't really matter that much. It also depends on how long we plan to keep it off. :)
Comment on attachment 171165 [details] Patch Ok. I'll flip around the enable. Apparently the spec is going through a security review now. krit is going to look in the WebAppSec working group. I suspect the net result is that we're going to want to use CORS for these loads.
s/look/loop/
<rdar://problem/12591955>
Created attachment 171295 [details] Patch
Comment on attachment 171295 [details] Patch Is there a timeline for this review?
> Is there a timeline for this review? I don't think krit has emailed security@chromium.org yet, but it will likely go in the review queue when he does.
Created attachment 171302 [details] Patch for landing
Comment on attachment 171302 [details] Patch for landing Clearing flags on attachment: 171302 Committed r132849: <http://trac.webkit.org/changeset/132849>
All reviewed patches have been landed. Closing bug.
(In reply to comment #13) > (From update of attachment 171302 [details]) > Clearing flags on attachment: 171302 > > Committed r132849: <http://trac.webkit.org/changeset/132849> ... and a fix landed in http://trac.webkit.org/changeset/132869 without any reference to the original bug and/or revision.
For future reference, these appear to have been re-enabled in http://trac.webkit.org/changeset/133538.