|Open||None||T96309 Make Graphoid return SVGs|
|Open||None||T96461 Systematic sanitization for SVGs and HTML|
|Resolved||csteipp||T125382 Ensure DOMPurify meets our SVG sanitization requirements for Graphs|
If in addition to the DOMPurifier, the svgs were included as an <img> tag, and served from a separate domain, this would probably be significantly safer then what we currently do for user supplied svgs.
(Just to clarify, this is an unofficial personal opinion. Ive been doing some security stuff recently, but i dont do the reviews, so all this is just imho).
I don't think you need multiple handshakes for SPDY/HTTP/2 when using a cert that has both domains in ServerAltName, and for the HTTP/1.1 case, you often get better pipelining using multiple domains. Not 100% sure about that though
HTTP/2 (and SPDY) will coalesce if the IP is the same and they're SANs on the same cert. The multiple domains for HTTP/1.1 thing is just to increase parallelism for that case. Currently for our primary use case (text wiki traffic + images from upload.wm.o), they're on the same cert, but upload has a separate IP from the rest (and we don't have any near-term plans to merge the IPs, for a number of reasons).
Lacking context about what domainnames we're even talking about here, it's hard to say what's up with this specific situation.
I would also say, that for this particular use case, i think worrying about this is premature optimization. <img> tags do not block page rendering afaik (esp. If width/height is specified). And graph tags are only used on a small number of pages
- It doesn't sanitize styles. There's a plugin in the demos folder that does a pretty good job. So we could make that work.
So as is, DOMPurify won't work for us. DOMPurify with a the css and a custom plugin that we write to strip external sources, we could probably do.
SVGs would allow us to serve much crispier graphs, as well as (eventually) to add URL links directly to the graph. Additionally, a number of font issues will be solved because the font rendering will be done by the browser.