Dr. Olaf Hoffmann wrote: > At least img is noted as a typical use case for SVG content for more than 6 > years, see: > SVG 1.0: http://www.w3.org/TR/2001/REC-SVG-20010904/concepts.html#UsageOptions > or 1.1: http://www.w3.org/TR/SVG11/concepts.html#UsageOptions Yes.... what did I write to contradict this? > Therefore it is no surprise, that an advanced general purpose browser starts > to implement this, even if the img element is not the best choice for authors. But in many cases it _is_. > Scripting was always a problem, inside HTML too for several reasons. Yes... > Obviously it gets even more interesting, if a plugin is used to display > something, having its own scripting support and security holes. Yes. > But typically the user can simply decide to switch scripting on or off We're not talking about the user. Running script in images would make _websites_ vulnerable, not users. > And to have the same functionality for only different named elements > simplifies the situation somehow - suspicious content can be anywhere Right now, linking to an untrusted image using <img> is not a security problem for a website. Linking using <object> is. Changing this is not something that is either feasible or, in my opinion, desirable. -BorisReceived on Friday, 25 January 2008 20:01:15 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:32:24 GMT