W3C home > Mailing lists > Public > public-html@w3.org > January 2008

Re: img issue: should we restrict the URI

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 25 Jan 2008 10:40:37 -0600
Message-ID: <479A1105.8010107@mit.edu>
To: "Dr. Olaf Hoffmann" <Dr.O.Hoffmann@gmx.de>
CC: public-html@w3.org

Dr. Olaf Hoffmann wrote:
> I think, these problems show mainly, that the img element
> of html is outdated since the object element was introduced.

The two have very different behavior from a security perspective.  In 
particular, the content of an <img> is guaranteed to be static content in the 
sense that it won't run JavaScript (though I do wonder how Opera's SVG and 
Safari's PDF handling play there; I would hope they disable JavaScript when 
embedding SVG and PDF via <img>).  <object> carries no such security guarantee; 
quite the contrary.

Now this guarantee is not spelled out in the HTML4 specification, of course. 
But it has been provided by all UAs for a number of years now, and it's widely 
relied on by content.

In fact, it would make a lot of sense to specify this guarantee in HTML5...

-Boris
Received on Friday, 25 January 2008 16:40:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:52 UTC