Dr. Olaf Hoffmann wrote: > I think, these problems show mainly, that the img element > of html is outdated since the object element was introduced. The two have very different behavior from a security perspective. In particular, the content of an <img> is guaranteed to be static content in the sense that it won't run JavaScript (though I do wonder how Opera's SVG and Safari's PDF handling play there; I would hope they disable JavaScript when embedding SVG and PDF via <img>). <object> carries no such security guarantee; quite the contrary. Now this guarantee is not spelled out in the HTML4 specification, of course. But it has been provided by all UAs for a number of years now, and it's widely relied on by content. In fact, it would make a lot of sense to specify this guarantee in HTML5... -BorisReceived on Friday, 25 January 2008 16:40:17 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:32:24 GMT