W3C home > Mailing lists > Public > public-html@w3.org > July 2008

Re: img issue: should we restrict the URI

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 30 Jul 2008 02:24:22 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Cc: "Dr. Olaf Hoffmann" <Dr.O.Hoffmann@gmx.de>, public-html@w3.org
Message-ID: <Pine.LNX.4.62.0807300224040.29977@hixie.dreamhostps.com>

On Fri, 25 Jan 2008, Boris Zbarsky wrote:
> 
> [...] the content of an <img> is guaranteed to be static content in the 
> sense that it won't run JavaScript (though I do wonder how Opera's SVG 
> and Safari's PDF handling play there; I would hope they disable 
> JavaScript when embedding SVG and PDF via <img>).  <object> carries no 
> such security guarantee; quite the contrary.
> 
> Now this guarantee is not spelled out in the HTML4 specification, of 
> course. But it has been provided by all UAs for a number of years now, 
> and it's widely relied on by content.
> 
> In fact, it would make a lot of sense to specify this guarantee in 
> HTML5...

Done.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 30 July 2008 02:24:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:19 GMT