Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Same Origin Policy exception #22

Open
prushforth opened this issue Sep 16, 2018 · 1 comment
Open

Same Origin Policy exception #22

prushforth opened this issue Sep 16, 2018 · 1 comment
Labels
privacy/security considerations

Comments

@prushforth
Copy link
Member

MapML, like HTML, is a hypertext format. Among other things, this means that it has embedded links to resources, particularly images, tiles and other MapML documents which compose a map layer.

SVG, also a hypertext format, is affected by the Same Origin Policy in the way that when it is loaded by the <img src="test.svg" width="100" height="100"> tag, resources that it links to are not loaded, regardless of origin. For example, this HTML document:

<html>
  <head>
    <title>svg-linked image</title>
    <meta charset="utf-8"/>
  </head>
  <body>
	<img src="test.svg" width="100" height="100">
<svg width=100 height=100>       
  <image href="https://mdn.mozillademos.org/files/6457/mdn_logo_only_color.png" height="100" width="100"/>    
</svg>

  </body>
</html>

renders like this in chrome:

image

The content of test.svg is as follows:

<svg width="100" height="100" 
     xmlns="http://www.w3.org/2000/svg" 
     xmlns:xlink="http://www.w3.org/1999/xlink">       
  <image xlink:href="https://mdn.mozillademos.org/files/6457/mdn_logo_only_color.png" height="200" width="200"/>    
</svg>

The same relationship exists between a MapML document and remote resources, except it is more important for MapML, because virtually everything is drawn by compositing external resources onto the map canvas.

This will mean that the proposed <layer src="test.mapml"> will have to negotiate an exception to this (mis-)application of the Same Origin Policy.

Hat tip to Amelia's book for bringing this to my attention.
@AmeliaBR
Copy link
Member

Since <layer> is a new element, I don't think there are any legacy expectations about what a document loaded with it can or can't do. Examples of existing HTML elements that load documents (SVG, HTML, other) which can then load other resources are <iframe>, <object>, and <embed>.

The limitations on <img> would only come into effect if you are hoping to be able to load an external MapML document as <img src="my.mapml" />.

That said, to go back to the original question of same-origin versus cross-origin, any new HTML element that loads external resources would need to use the crossorigin attribute.

For an element that loads fully-functional documents (which can in turn load other files or trigger interactive behavior), I suspect it will be easier to gain support if it also supports the modern sandboxing model used by the <iframe> element.

@Malvoz Malvoz mentioned this issue May 11, 2020
Merged
@Malvoz Malvoz mentioned this issue Dec 15, 2020
Open
@Malvoz Malvoz mentioned this issue Mar 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
privacy/security considerations
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@prushforth @AmeliaBR @Malvoz