Inkscape SVG unresizable in Firefox (needs viewBox?)

Created an attachment (id=169879)
testcase

So to get this to work we'd need an nsIImage implementation for SVG, and an
imgIDecoder. These will have to allow pixel-by-pixel access to the SVG image
data (presumably cached, not computed on every pixel access) and provide some
metadata about the image (notably the intrinsic size).

If that's done, there will need to be no changes to nsImageFrame, since SVG will
just look like any other image. Note that this will not allow interactivity and
such the way <object> does.

I don't think it makes sense to "decode" an SVG image in to an nsIImage. Things
like animation, etc won't work if you do this (without a huge amount of extra
work). If we really want this to work, i'd guess that changes similar to those
in the object frame would have to go in to image frame. That kinda sucks though
and isn't very flexable...

Frankly, we want to have SVG working in list-style-image, background-image, etc,
etc, not just in <img>.

So either all images work the same way (and all these places use the image
apis), or we don't support SVG images (just SVG documents) or we hack every
single one of these places somehow, probably implementing the equivalent of
SVG-to-nsIImage glue in 3-4 places.

This is complicated by the fact that for <img> we won't know we're dealing with
SVG until we get it.... For <object>, if it claims to be SVG and comes out HTML
we just render the HTML, but for <img> that would seem to be somewhat
undesirable. 404 pages in <img> tags, anyone? ;)

note bug 272288 comment 1 and (especially) bug 231179...

Any disposition on this bug? It would definitely be an improvement to support
SVG wherever a raster image is allowed (<img> tag, background images, etc).
This could turn out to be a killer feature for a browser to have.

What makes this killer is if the image is a "live" SVG image
(though I will agree with Tim Rowley in Bug 272288, that it is ambiguous in the
SVG spec). Imagine being able to animate your background image while displaying
your HTML over top. Currently this is only possible with a compound XHTML
document or some form of foreignObject within a SVG root document.

I am sure there was a Gecko demo at some point with animated GIF backgrounds.

*** Bug 298682 has been marked as a duplicate of this bug. ***

Would it make things much easier to leave out the animation part for the time
being? I guess that most users are interested in simply replacing unanimated
images with SVG ones (e.g. to improve quality).

when using <image xlink:href="example.svg"/> in ASV the result is always a
static SVG, no animation no scriting. i think this is the desired behaviour for
<html:img> as well. the interactivity and animation feature for background
images would be cool, but can wait, given that there is currently no animation
support, and i think user events dont make sense on backround images, so
enabling scrips in image is questionable. if you need script access you got to
use <object> because image does not have any scripting interfaces (
contentDocument,contentWindow)
maybe just enable the onload event.
so i guess the solution Boris Zbarsky proposed in comment #2 would be the right
way to go for now.

I agree that the simple solution right now would be to do what Holger is
suggesting (a frozen and isolated view of the SVG document) if it will mean
quicker implemention. And while I agree with Holger's interpretations, I would
recommend contacting the W3C CDF working group as they are the definitive source
of answers (even if they don't have all the use cases yet) .

At least in my initial emails with Chris Lilley he felt that scripting and
animation could still happen in a background-image or a <img> (which would be
nice). He did agree that events would not be able to flow from HTML DOM to SVG
DOM through background-image (i.e. SVG is "underneath") but that events might be
able to go through HTML DOM to SVG DOM. The bottom line is that all these use
cases need to be thought out and described unambiguously in the CDF spec.

See http://www.w3.org/TR/2005/WD-CDRReqs-20050404/ and
http://lists.w3.org/Archives/Public/public-cdf/ for more and let's get that
clarified soon so Mozilla has clear direction on implementation.

correction:

"...but that events might be able to go through HTML DOM to SVG DOM through an
html:img tag"

A note on perspective and intrinsic sizing, I just wanted to leave a quick
pointer to bug 70978 (and maybe bug 70976). That is to say, it would be (more
than) nice for the ability to include an SVG graphic, say only specifying an 80%
width, and have the height automatically scaled to maintain the image's
intrinsic perspective. If I want to include an SVG banner for a website that
will scale properly when displayed on a 2" Cell Phone screen or 20" Desktop LCD
- I can specify a width of 80% of the page, but there is then no way to specify
a height that will maintain the image's perspective. Em's could be used, but
that's a less than ideal workaround.

This missing function really suck. Now when we have native SVG support in stable version of FF. In the bug 320875 is testcase with nodefault object size but with size defined in the SVG file in contrast to the PNG.

(In reply to comment #4)
> This is complicated by the fact that for <img> we won't know we're dealing
> with SVG until we get it.... For <object>, if it claims to be SVG and comes
> out HTML we just render the HTML, but for <img> that would seem to be somewhat
> undesirable. 404 pages in <img> tags, anyone? ;)

If we support SVG in <img> then I see no reason we wouldn't support HTML in <img> (with 404s being handled as failed loads just like for <object> elements -- <iframe> is the only one of these element that ignores errors and doesn't fall back to its fallback for them). In fact, I don't see how we couldn't. Anything that supports SVG automatically supports HTML in our architecture. They're the same thing, for all intents and purposes.

The question is whether we want to support vector graphics in <img> at all. One could argue that <img> (just like <svg:image> in SVG Tiny) should be only for raster images. But then one could also argue the opposite...

I suppose one option (which reading the comments again may have been what you had in mind anyway) is to say that any |Document|s that end up rendered by an <img> are rendered as static bitmaps, much like if they were used in CSS, so that they are image |Frame|s and so we sidestep the problem hyatt would have with all this (namely that <img> should always have the same kind of render frame, and that it shouldn't be able to change from an image render frame to an iframe render frame, for example). Hmm...

I we should have the following guidelines when using SVG as a graphics format:

1) Scripts should not be executed.
2) Elements in non-SVG namespaces should generally be ignored.
3) Any elements unrelated to presentation should be ignored.
4) CSS should be ignored???

I do not think rendering a one-time static image is a good option, because the image can't be resized. Wasn't that the whole point of vector graphics to begin with? Also, we already allow stuff like animated GIF images (and MNG when using MNGZilla), so I don't see a justification for using a static image for SVG unless animation in SVG cannot be accomplished without scripting. (I admit that my knowledge of SVG is to limited to make a determination on the latter issue.)

Allowing SVG in <img>s is bad news. Many web applications differentiate <img> as fairly innocuous allowing it even from third parties, but not <object>, because <object> holds power.

SVG is incredibly powerful. It contains scripting, hyperlinks, <svg:image> even allows possibly third-party images to make HTTP requests. I also suspect that a fairly small SVG can DoS the renderer by requiring exponential time to render. That is a huge paradigm shift.

<img> tags would require a neutered implementation of SVG to match the security model of most sites, even more so than just dropping scripting and animation - it would need at least to disallow <svg:image> links to third and fourth parties, and have a render timeout.

I would recommend this is not fixed until that stuff can be thoroughly looked at.

Agreed. As per comment #10...

Btw, I consider this a low-priority bug compared to the SVG CSS one (Bug 231179). The CSS bug prevents us from doing really cool things. This bug would just be a "nice to have"...

You can already do most things you need to do here with the object tag, so it doesn't hurt developers as much. As developers, we can just use <object> anywhere you wanted to use an <img> tag (unless I'm missing something).

The SVG CSS bug is really the same bug as this, basically... That is, the functionality needed from the point of view of Gecko is the same. Some of the security concerns are different, of course.

(In reply to comment #17)

> 1) Scripts should not be executed.

maybe enable only the onload event, like the batik-rasterizer does.

> 2) Elements in non-SVG namespaces should generally be ignored.

if we could have the onload event and/or XSLT transformations (or even xbl), elements from other namespaces might be usefull.

> 3) Any elements unrelated to presentation should be ignored.
> 4) CSS should be ignored???

no, css stylable images are cool !

>
> I do not think rendering a one-time static image is a good option, because the
> image can't be resized. Wasn't that the whole point of vector graphics to begin
> with?

well, i guess the svg should be re-rasterized when the size changes.

> Also, we already allow stuff like animated GIF images (and MNG when using
> MNGZilla), so I don't see a justification for using a static image for SVG
> unless animation in SVG cannot be accomplished without scripting.
>

yes you could prerender some frames and then display them in a loop,
the problem is that there is no way to determin how long the animation takes.

> maybe enable only the onload event, like the batik-rasterizer does.

From an XSS/security point of view, this is equivalent to allowing all scripting.

(In reply to comment #23)

> From an XSS/security point of view, this is equivalent to allowing all
> scripting.

i see :-( , so what about xslt/xbl then ?

Probably OK, though most of XBL would not work (no scripting, so no constructors, etc). You could still create anonymous content, though. That seems reasonably safe.

What if the img tag supported only SVG Tiny, with the object tag required to use full SVG? This seems to (at least theoretically) answer the security concerns, while still allowing a well-documented subset of SVG in the img tag. I can see only two clarifications which would need to be added: foreign namespaces are not recognized when included through the img tag, and svg:image would not support SVG (but would support, for example, JPEG and PNG, and possibly other bitmap formats) when included through the img tag.

SVG Tiny doesn't support scripting, it doesn't necessarily have to support elements from other namespaces, and it doesn't necessarily have to support SVG in the SVG:image tag. Would an implementation of SVG Tiny which didn't support these two optional things be safe? Obviously you couldn't do everything with this that you could with full SVG, but I'm not sure this is a Bad Thing, since the object tag still exists to handle full SVG.

It seems to me that if this method can be shown safe then it would provide, if not necessarily the best of both worlds, then at least a decent compromise. The full power (and danger) of SVG would not be available through the img tag, but a well-documented standard subset would be. Tiny is, by itself, powerful enough to handle most aspects of vector graphics, and what it can't handle could be dealt with through the object tag.

It's just a thought, anyway. I might even be wrong about Tiny being safe, in which case the whole thing is moot. But if it would be safe, then might it be satisfactory?

> SVG Tiny doesn't support scripting

You must mean SVG Tiny 1.1 or something? SVG Tiny 1.2 most certainly does.

More to the point, implementing both SVG profiles in the same code is a lot of work -- about twice as much work as only implementing one and putting some restrictions on it.

(In reply to comment #26)
> What if the img tag supported only SVG Tiny, with the object tag required to
> use full SVG?

i would object to that, i think this feature would be nice to have especially where you need a complex graphic, but you dont need a dom and stuff.
especially the most expensive features of SVG like filters would benefit most from solving this bug, because then i could pack tons of filters in a file,
without loosing performance of the browser, but filters are not part of SVGT. using SVGT would cost to many features, like clippathes, masks, opacity, gradients, filters.
i recently had a little project where this would come in handy, i wrote an XSLT to create a barchart on the clientside. the largest benefit here is
the saved serverload and bandwidth. so only a small chart description is send to the browser. with xslt, i turn that description into a complex barchart graphic with 100s of objects with grandients , opacity, strokes and filters
this works great, but try embeding this chart in a html file; firefox nearly
dies when you try to scroll. as i dont want to change the chart via script, a one shot still image would be enough for me. having this bug fixed would gain me the best of two worlds: decreased server load and bandwith, and good performance on the client while still providing graphicly rich content.
(here is an example: http://www.treebuilder.de/default.asp?file=172558.xml i had to revert to a prerendered image because of the performance issues, and this is only a small example )

also i think it is not neccesarry to revert to SVGT because SVG allows for sub profiling via modules. so we could have an SVG full implementation without the scripting module.

What exactly are the security concerns? I mean what can be exploited via scripting that can harm the user or steal his data? An SVG embedded via img does not have any relation to the parent document so it can't steal any data. And XmlHttpRequest does only work on the same domain name anyway so there is no way to send any stolen data.
And how do these security concerns relate to svg images in css? (#231179) CSS is used by the site author and is not meant to harm anybody, whereas the img tag can be used by and 3rd person in message boards for example.

there are other ways to send data than XMLHttpRequest... (forms, <img src="....?data=whatever"> come to mind)

> I mean what can be exploited via scripting that can harm the user or steal
> his data?

Simple example: an SVG image posted as part of a MySpace (or LiveJournal, or whatever) page that steals other MySpace users' MySpace cookies and sends them to some other server by any of the various means that can be used to send text data (biesi mentioned some, there are others).

The same-domain restrictions of XMLHttpRequest are not so much there to prevent info being sent to a site that wants it, but rather to prevent attacks against web services via sending them XML they do not want and do not expect.

In general, I suggest that anyone planning to comment on this bug take a few hours to read up on the current state of XSS exploits on the web before doing so. It would help make the comments much more constructive.

> CSS is used by the site author and is not meant to harm anybody

Many sites of the sort we're talking about here allow users to upload CSS to style their page.

Hmm... what about foreignObject? Could it (reasonably, by a human) be implemented so that it would be safe, or would it open social engineering attacks that couldn't be stopped by simply blocking script? I'm thinking here of a full-page SVG with embedded HTML that looks like a login screen, complete with form submitting to the outside. Would it work to just block forms in <img> as well as script? Would that be reasonably doable? If not, would other content types be safe (audio, video)?

Note that some sort of descending into referenced objects to block script will have to be done, as when bug 231179 and bug 272288 are fixed, otherwise one could just include script in the svg-referenced-by-svg. So that descending should also work to block scripts in other file formats. But would that be enough?

i think a static snapshot image of the svg, with all scripts ignored, coud not
be any more or less secure than any other image format. in the end its all just pixeldata, even the forms in foreignObject. or am i missing something ?

The only scripting support I can see a need for in simple images (img and CSS) is simple DOM manipulation (deletion, creation and read-write access to objects, no events). Why not simply block anything else, and not allow the SVG to access anything outside its own document (no cookie access, I can't see an use for it either in simple images)?

For SVG applications that will take user input, ordain the use of the object element.

> Why not simply block anything else

Because that involves making an exhaustive list of "everything else" and adding checks to all of it. It's very very hard to get this right without leaving any holes, and places a burden on implementations of every single DOM method to check for this case.

I'm not really sure what the discussion is about. There's pretty much agreement that SVG in <img> means no script, last I checked. The remaining questions are how to actually best do the rendering.

Being able to display SVG from untrusted sources without the risk of running embedded scripts sounds to me like a good idea in general, and shouldn't be limited to the <img> tag. Maybe some requirement like 'scripted="yes"' could be added to both the <object> and <img> tags.

Mozilla supports SVG natively
could svg code and attachments display inline?

this could be a considerable enhancement for everyone.
But particularly for people with low literacy who prefer illustrations or symbols with their text.

web examples include http://www.peepo.co.uk and http://www.peepo.com

there have been attempts to develop specialist email clients for symbol users in the past.

I'm experiencing the same problem on Ubuntu 7.04. Please add Ubuntu into the OS field. I don't seem to have permissions required for doing that.

So, is there any reason that this should work other than that some spec says so? Is there a reason it would be useful to authors? Is there a good reason that the spec asks for it other than somebody's idea of theoretical purity? Some use case that it satisifies, that using object doesn't?

SVG, in reality, is a document format, not an image format, and I don't see why we shouldn't just treat it like other document formats.

(I'm asking because fixing this seems like a good bit of work and a good bit of extra security exposure, and doing that requires a good reason.)

While SVG may in reality have been designed as a document format, its uses in practice are primarily as an image/graphics format, whose natural home in the mind of a web developer has always been in <img>. I don't think you can reasonably fight this intuition, particularly without support from other browsers.

Let's look, for example, at the following wikipedia image page:

http://en.wikipedia.org/wiki/Image:Hexahedron.svg

It contains a PNG preview of an SVG image and a link to it. I believe that it would be cleaner if the preview used the svg image itself, and left rendering of the SVG for the web browser.

(In reply to comment #43)
> I believe that it would be cleaner if the preview used the svg image itself,
> and left rendering of the SVG for the web browser.

It would indeed, but I don't think that's quite the distinction being made.

The question is whether it's worthwhile to support <img> when perfectly adequate support already exists in <iframe>, <object>, etc. with understood and effective security mechanisms in place to prevent the SVG (or any other document format loaded instead) from escaping its prison. (There's no reason Wikipedia couldn't do that now, with Accept or user-agent detection.) Those security mechanisms would have to be modified or reinvented for supporting SVG in <img>, or the document-support code would have to be modified to provide an <img>-style context; implementing either is a decent-sized task with lots of potential for regressions (and security ones, at that).

As a web author who has basically been waiting for this for 6 years now (see bug 70978), and since this blocks bug 231179, I will comment...

I don't author many pages with bar charts or anything where you would put the graphics as actual content of the page... like most authors, I use graphics mainly for logos/themes/styling via CSS image replacement - I write device independent semantic pages, and *all* the style goes in the CSS.

I want to author a *single* web page which will display on both my cell phone browser and my 30" LCD - and right now such a page can only contain text. I can author one version of a page, along with a separate CSS theme for each media type, guessing at suitably sized bitmap images for each type, but this is, simply put, a hack, and a lot of extra work, and can never properly scale for all devices. Without support for referencing SVG graphics from CSS, I can never create a truly device independent theme for my pages without compromising them semantically (which I am not willing to do).

There's quite a difference between IMG and OBJECT/IFRAME. As with SVG loaded from CSS, IMG should limit graphics to be non-interactive, whereas OBJECT would always support the full set of SVG features (scripting in particular). Intrinsic sizing is another point.

See also http://blog.vlad1.com/archives/2006/10/07/125/

 (a general comment)

 - img -

img-tag is an old design error in html,
reminding us from times when other media types
were not widely used. Sometimes it is very
annoying that only text can be used as
alternative representation. alt-attribute is also
often used for something else than an actual
alternative representation for the idea that the
image is used for. Correct alt for a flag picture
in language selector would be something like...

<img src="fr-flag.png" alt="display the page in french" />

 - object -

While it is possible to use object tag for the
same purpose and thus create greater alternative
representations. It doesn't always work because
of lacking browser support. If img-tags had
never been invented this would of course not
be a problem. Anyway, if a web designer wishes
to go for object tags he can do e.g.

<object data="fr-flag.png">
  display the page in <em>french</em>
</object>

 - xhtml 2 -

When it comes to the future, I think xhtml 2
team has finally dropped img-tag completely.

Iirc the idea is that videos, images, etc.
would be themselves alternative representations
for something. The code would look something
along these lines... (pardon me for not checking
the actual syntax)

<p src="map.png">
Germany is located at the center of Europe.
</p>

In the light of this (imo sane) notation paradigm,
even the object tag is questioned, as it might
be by people as a null-tag just to have some tag
to attach the media to. There are already general
null-tags (div and span) and the question is whether
or not use of object adds any useful semantics.

(In reply to comment #45)
> As a web author who has basically been waiting for this for 6 years now (see
> bug 70978), and since this blocks bug 231179, I will comment...
>
> I don't author many pages with bar charts or anything where you would put the
> graphics as actual content of the page... like most authors, I use graphics
> mainly for logos/themes/styling via CSS image replacement - I write device
> independent semantic pages, and *all* the style goes in the CSS.

<snip>

I agree with the above, I want bug 231179 to be implemented, which is why I want this blocking bug also resolving. Like Chris Hubick, I would like to have svg as background images. Unlike Chris, I would also like to use svg for graphs etc. - however, for this purpose I find the object tag to be appropriate, using something like a table to represent results.

Therefore, I would be happy to drop this bug *IF* 231179 could be achieved a different way that did not require this.

using something like a table to represent results.

should have been

using something like a table to represent results when the svg of the graph cannot be handled, rather than being limited to the img tag's alt keyword and a link to tabulated data.

If this means anything - I agree with Martin - SVG as background-image is more important to me than using img

This is required for bug 435299, and so it should be on the wanted-1.9.1 list (at least).

I'd like to add that Opera 9.5 supports this properly.
Using <object> as an alternative is not an option, because an object is not sensitive to a surrounding <a> tag (<a href...><object .../></a> is not clickable).

I wonder if this could also be made to work in XUL, if that's not made inevitable when this may be fixed. For example, it'd be great to have (localizable) SVG available within <toolbar image=>, etc.

Is there any news about this bug? Because I'm looking for a way to make SVG files clickable, and as comment 53 describes: <object> tags doesn't seem to be sensitive to surrounding <a> tags.

Questions about this.

I think there is agreement that no scripts will be run in SVG files included with HTML:img elements. But what if you have:

<a href="blah.html"><img src="foo.svg" /></a>

and foo.svg has clickable regions in it (svg:a links of its own). What should happen? What does Opera do? Is the whole region just treated as a rectangular blob of pixels? This would seem to make sense as that is what web developers expect from the HTML <img> tag.

What does the HTML5 spec say?

The image is treated as a unit. I seem to recall some spec saying this, but I don't know where. Anyway it's the only reasonable thing to do.

Hello,

I've investigated how Opera handles the SVG inside <img> tag and I think they do this quite reasonably. If this would be helpful, here is a short summary (when refering to "foo.svg" I mean a "foo.svg" inside HTML img: <img src="foo.svg" />):

-First of all, as already decided about the eventual Firefox implementation - all scripts in "foo.svg" are ignored.

-In response to comment #56 - internal links in "foo.svg" are always ignored, whether <img> is surrounded by <a> or not.

-Animation - of course, scripted animation is not being executed, but the SMIL animation is, so if "foo.svg" contains declarative animation, then it's being animated (in my opinion this is something that web developers would be very glad to see once the bug #216462 is resolved).

-The <svg:image> tag - all images inside "foo.svg" are being rendered, whether this is "bar.png" or "bar.svg". But animations in "bar.svg" are ignored (even the declarative ones). So if "foo.svg" is included using HTML <img> then all internal images are treated as rasters (contrary to the situation when "foo.svg" is included using HTML <object> - then the "bar.svg" is animated, as expected).

I've checked also WebKit (527). It behaves the same way as I described in previous comment, except for the last case - if the foo.svg is embedded into HTML using <img> tag, then WebKit doesn't display the internal bar.svg. Perhaps it's a bug, because bar.svg is being displayed (and animated) if foo.svg is embedded using <object> tag.

However, I've also repeated the tests in Opera, and this time the bar.svg is being animated (SMIL, of course) even if foo.svg is embedded using <img> tag. Don't know, maybe the last time I was checking I made some mistake, but I'm pretty sure that the bar.svg is being animated in both cases (foo.svg embedded using both <img> and <object>). Checked with Opera 9.50 and 9.60.

And there's a weird thing in Opera 10 beta: also in the last case, in this version of Opera, bar.svg is not being animated at all (neither for foo.svg in <img> nor for foo.svg in <object>). Maybe it's a bug, but maybe they decided to change the behaviour for some reason?

So summarizing, Opera and WebKit behave the same way for cases 1, 2 and 3, as described in comment #58. For case 4, Opera (9.5, 9.6) does animate the bar.svg embedded in foo.svg (using <svg:image>) in all cases (foo.svg in <img> and in <object>). However, Opera 10 beta does not. As for WebKit, it has problem with displaying the bar.svg when foo.svg is embedded using <img>, but for foo.svg in <object> everything works fine (the animation also).

Hope I didn't complicate it too much;)

Created an attachment (id=392530)
testcases for comments 58 and 59

attached testcases that I used to check what's described in comments 58 and 59. It consists of an html file and several svg files, thus I've put it into an archive.

Not making it.

Does "Not making it" mean it won't be in 1.9.2a1 (the target milestone) or is the feature not expected to make it for 1.9.2 at all?

This will not make it for 1.9.2.

Would it be possible to know, roughly, what prevented this bug, together with Bug 231179 and Bug 272288, to make it in 1.9.2, as we were expecting it so much, and when would its new estimated time of implementation be, if it's already known?

Thank you!

The changes in bug 753 and bug 435296 were being made at the time that svg-in-img development would have been happening, and the two pieces of work would conflict with each other (or, more specifically, depend on each other), so we opted to delay implementation until the other imagelib work was done.