- From: Dr. Olaf Hoffmann <Dr.O.Hoffmann@gmx.de>
- Date: Tue, 29 Jan 2008 14:45:31 +0100
- To: public-html@w3.org
Boris Zbarsky wrote: > Dr. Olaf Hoffmann wrote: > > It is not noted, that this has influence on the interpretation of the SVG > > and I think, it should not have influence. The interpretation should > > depend on the content of the SVG document of course, not on the embedding > > document, else the author would have written another SVG document ;o) > > You're assuming the author of the SVG document and the author of the > embedding document are the same. This is a bad assumption. > In general I note it, if I assume something specific. The SVG document has an author and the embedding (X)HTML document has an author, not important, whether it is the same or not. The author of the SVG document created his document with some assumptions (hopefully indeed realised in such a way, that the functionality and the purpose is still available without scripting, else the document has no functionality or purpose at all). If the authors are different and the author of the embedding document does not like the behaviour of the SVG document, it is in general a good idea not to embed it at all and to write another one or just to use an a element to reference it as a bad example. In all cases the behaviour of the embedded document should not depend on the embedding document. If the embedded document tries to manipulate the embedding document with scripting is a different problem, because then obviously the behaviour for a standalone document is different anyway as for the same document embedded somewhere. In such a special case I see no problem if the author of the embedding document can restrict the behaviour somehow. > >> We're not talking about the user. Running script in images would make > >> _websites_ vulnerable, not users. > > > > If it depends on img or object, this looks like a bad > > design/interpretation of the img element, if a website is more vulnerable > > with an image inside img as with an image inside object. > > It might be a bad design, but it's extremely common. > I know a lot of nasty, quite common things, but the quantity of nasty things is in general no reason, not to do it better ;o) > > I think, there were already some > > security or at least stability problems with illformed JPEGS (don't know > > details anymore) too in more than one browser... > > You're once again confusing user security and website security. > > The security issue here is that just because a website allows users to post > images it might not actually want to allow them to run script. If images > can run script, this becomes a problem. Obviously such a problem already existed before HTML was invented, for example PostScript is a nice possibility to create images and already the name indicates, that such images may contain script like content, therefore it is not realy a surprise that image formats exist, that contain scripting, flash can be seen as another image format with scripting abilities, currently maybe no one tried to use/implement it for img, but if it is done for SVG, it is maybe useful for some authors for flash too. I personally do not need scripting in images, but this is my personal opinion only, other authors may find a way to use it to increase the pleasure for the audience or to create alternative displays of the image to improve accessibility of the content. .... > > > Another problem of embedded documents (both for img or object) indeed > > is, that for example SVG documents 'eat' events. > > The point is that an SVG document embedded via <img> should not do this. > Are there UAs that support SVG in <img> and have the SVG "eat" events? > I never tried, because from my point of view the construction of img in HTML4 is outdated at least for other formats than PNG or JPEG (or maybe GIF), I never used it for other formats. > For <object>, a solution that dispatches events to the parent document > might be a good idea, not just for SVG but also for HTML, etc. > > > Then the control about the > > desired behaviour is left to the author of the embedding document. > > That's a reasonable approach, yes. So I could be open for a way to have an > SVG linked in via <img> but with scripting enabled, perhaps. But by default > it should be disabled. > > -Boris To find some useful default value, maybe dependent on the element is of course something helpful for authors. This is more the question, what the most reasonable use case is. This applies too for other media containers like video (maybe canvas too?). However with such an attribute it is simple to switch for authors to the desired behaviour, a better approach than to provide yet another element. Because currently the HTML5 draft does not have features like declarative animation/interactivity for such attributes, the behaviour remains static, but this may change, if something like timesheets from SMIL gets implemented in some viewers to get it even more useful in advanced applications.
Received on Tuesday, 29 January 2008 13:56:43 UTC