On Fri, 25 Jan 2008, Boris Zbarsky wrote: > > [...] the content of an <img> is guaranteed to be static content in the > sense that it won't run JavaScript (though I do wonder how Opera's SVG > and Safari's PDF handling play there; I would hope they disable > JavaScript when embedding SVG and PDF via <img>). <object> carries no > such security guarantee; quite the contrary. > > Now this guarantee is not spelled out in the HTML4 specification, of > course. But it has been provided by all UAs for a number of years now, > and it's widely relied on by content. > > In fact, it would make a lot of sense to specify this guarantee in > HTML5... Done. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'Received on Wednesday, 30 July 2008 02:24:58 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:32:36 GMT