- From: liorean <liorean@gmail.com>
- Date: Sun, 27 Jan 2008 20:35:17 +0100
- To: "HTML WG" <public-html@w3.org>
> Dr. Olaf Hoffmann wrote: > > It is not noted, that this has influence on the interpretation of the SVG and > > I think, it should not have influence. The interpretation should depend > > on the content of the SVG document of course, not on the embedding > > document, else the author would have written another SVG document ;o) On 27/01/2008, Boris Zbarsky <bzbarsky@mit.edu> wrote: > You're assuming the author of the SVG document and the author of the embedding > document are the same. This is a bad assumption. Well that really depends on the exposed object model for SVG in img. If img elements were specified in such a way that they don't pass events through to content at all (something I wouldn't expect an element that is intended to be non-interactive to do), and expose no way of getting from the content to the embedding document and no other interactive interfaces, I see no reason why not to allow scripts to run in SVG in img. > >> We're not talking about the user. Running script in images would make > >> _websites_ vulnerable, not users. > > If it depends on img or object, this looks like a bad design/interpretation > > of the img element, if a website is more vulnerable with an image inside > > img as with an image inside object. > It might be a bad design, but it's extremely common. Only if the execution of those scripts depends on the embedding website. Couldn't img elements simply run the script in a fully isolated environment? -- David "liorean" Andersson
Received on Sunday, 27 January 2008 19:35:28 UTC