Requested: https://www.w3.org/2000/svg Found: http://www.w3.org/2000/svg

Ravipati Praveen picture Ravipati Praveen · Sep 19, 2016 · Viewed 10k times · Source

We are using Apache Batik to render SVG files. For security reasons, all the URLs are converted to HTTP.

Now, when we are rendering the SVG files, we get this issue.

  • Original SVG is:

    svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" 
    
  • Converted SVG is:

    svg xmlns=\"https://www.w3.org/2000/svg\" xmlns:xlink=\"https://www.w3.org/1999/xlink\"
    

So, I tried with Dhttps.protocols parameter from Java, no good. I'm digging source code for this.

Answer

davidsheldon picture davidsheldon · Sep 19, 2016

Don't change the URLs for namespace definitions. These are the attributes starting with xmlns, optionally followed by a : and a more detailed name.

For SVG, the namespace must be http://www.w3.org/2000/svg, see the specification.

These URLs are not used for connecting to, they just define what the elements mean (see XML Namespaces), so you're not gaining any security by changing them. Instead you're just making your SVG file invalid.