W3C home > Mailing lists > Public > public-html@w3.org > January 2008

Re: img issue: should we restrict the URI

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 25 Jan 2008 14:00:50 -0600
Message-ID: <479A3FF2.1060200@mit.edu>
To: "Dr. Olaf Hoffmann" <Dr.O.Hoffmann@gmx.de>
CC: public-html@w3.org

Dr. Olaf Hoffmann wrote:
> At least img is noted as a typical use case for SVG content for more than 6
> years, see:
> SVG 1.0: http://www.w3.org/TR/2001/REC-SVG-20010904/concepts.html#UsageOptions
> or 1.1: http://www.w3.org/TR/SVG11/concepts.html#UsageOptions

Yes.... what did I write to contradict this?

> Therefore it is no surprise, that an advanced general purpose browser starts
> to implement this, even if the img element is not the best choice for authors.

But in many cases it _is_.

> Scripting was always a problem, inside HTML too for several reasons.

Yes...

> Obviously it gets even more interesting, if a plugin is used to display
> something, having its own scripting support and security holes.

Yes.

> But typically the user can simply decide to switch scripting on or off

We're not talking about the user.  Running script in images would make 
_websites_ vulnerable, not users.

> And to have the same functionality for only different named elements
> simplifies the situation somehow - suspicious content can be anywhere

Right now, linking to an untrusted image using <img> is not a security 
problem for a website.  Linking using <object> is.  Changing this is not 
something that is either feasible or, in my opinion, desirable.

-Boris
Received on Friday, 25 January 2008 20:01:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:52 UTC