edemaine
commented
2 years ago I'm not sure what this was — fonts from Cocreate uploads seem to be fine (and have been for a while).
Open edemaine opened 3 years ago
edemaine
commented
2 years ago I'm not sure what this was — fonts from Cocreate uploads seem to be fine (and have been for a while).
edemaine
commented
1 year ago Actually, this still seems to be an issue on Chrome and Firefox, unless you have Roboto Slab installed as a local font. See https://www.w3.org/wiki/SVG_Security#SVG_as_image
The SVG document is not allowed to fetch any resources.
Example of bad file: https://coauthor.csail.mit.edu/6.892-2019/m/PDvB6iHcuiGyN2LwT
This affects uploaded Cocreate exports.
We could embed SVG files via the
<object>tag, but given that everything is same-origin, this would enable JavaScript in the SVG.Alternatively, we could sanitize and inline SVG. This seems to be the only workaround (other than changing Cocreate to embed fonts).
Alternatively, we could preprocess SVG files with Nano. See their comparison.Oops, but Nano isn't open source.