RE: Progress on SVG book -- question concerning <embed> vs <object> in HTML from Dailey, David P. on 2009-04-04 (public-svg-ig@w3.org from April to June 2009)

From: Dailey, David P. <david.dailey@sru.edu>
Date: Sat, 4 Apr 2009 10:46:34 -0400
To: "Doug Schepers" <schepers@w3.org>
Cc: "SVG IG List" <public-svg-ig@w3.org>, <jferrai@us.ibm.com>
Message-ID: <1835D662B263BC4E864A7CFAB2FEEB3D0152576C@msfexch01.srunet.sruad.edu>
Hi Doug,
 
I was at the very end of a most thorough and elegant reply when Microsoft Outlook Web Access crashed and left no trace of my work. This will be more to the point... sigh!
 

DD> Way back when, <embed> was recommended by Adobe as the preferred way to
> put SVG in HTML. [history as I understand it was that <object> plus
> script introduced a security problem forcing Adobe to disable it]

DS: Hmmm... I don't recall this.  Was this a recent development?

I learned about it from Martin Honnen (http://tech.groups.yahoo.com/group/svg-developers/message/57827 ) a while back.
Originally when I read the release notes associated with 3.03, it sounded like it had been fixed, but Martin's reading suggests that the disabling of script through <object> discussed in 3.01 was still valid for 3.03.  Alas, nowadays SVG in <object> does not even render in IE/ASV unless one uses the <param> trick.

DS: I know that <object> used to crash some browsers, like Safari, which is
why we hesitated using it a while back.  But it seems to work well in
Opera, Firefox, and Safari now.

Yes Chrome too. Only IE/ASV is a problem. Although I seem to have this idea that <object> exposes the Firefox oddity that getSVGDocument() doesn't work there, but that it does in <embed>. Will have to do a bit more testing on that I suppose.


DS: There's also the <iframe> element, which I've mostly used for the past
few years.  I talk about the various ways to embed SVG here:
   http://www.schepers.cc/svg/blendups/embedding.html

Yes in similar tests at http://srufaculty.sru.edu/david.dailey/svg/createSVGelementfromHTML.html back circa FF1.5, I found that there was only one problem with <iframe> -- the only way I could find to access the SVG DOM through <iframe> was to put a script in the SVG that upon loading sends its own SVGDocument as a parameter to a function
running inside HTML. I may have seen another work around but (and I know I've seen suggestions that didn't work), but I still have that listed in my mind as an open problem.

DS:The SVG WG is planning to make a new spec, the SVG Integration module,
which will go into more detail on the various ways to embed SVG.

Good: it's be nice (from the perspective of explainng things) if <embed> <object> <iframe> and <img> all worked the same vis a vis script, cross DOM access, and SMIL. Right now Opera does SMIL inside <img> but not script or DOM access, so 

DS: Actually, Firefox seems to be making good progress on filters for FF 3.5.

Yes, and I've heard that SMIL is coming too, being present in at least some nightly builds.


DD> <object id="E" type="image/svg+xml" data="ovals.svg" width="320"
> height="240">
>
> <param name="src" value="ovals.svg">
>
> </object>
>
> as a way to trick IE/ASV into accepting <object> (and without disabling
> script).
>
> My questions: 1. does the above still expose the user to the security
> risk that Adobe was concerned about in the first place?
>
> If so advising this work-around would perhaps not be a good idea.

DS: I guess the thing to do would be to find out when and why they did this,
see if there is a known exploit, and see if that still poses the same risk.

Yeah, I thought maybe Jon might have some wisdom here, since Adobe is unlikely to have explanations.

> 2. Since <embed> works everywhere, why not recommend it? Is the only
> reason not to that it is not a W3C standard? What do I tell our readers
> who may not care if it's a standard or not so long as it works?

DS:I have no problem recommending <embed>, <object>, or <iframe>.  In the
future, <img> and CSS backgrounds should work across browsers, too
(right now, only Opera seems to get it right, though Safari is not too
bad, either... they still have CSS background issues, but hopefully that
will get cleared up soon).

DS:This is something I hope Renesis works on as well.
 
Oh... Renesis... that reminds me -- I want to put something in about Renesis : for now probably just a mention and a pointer to Jeff's magic feature-support-chart since I can't imagine finding time to test it across all the content in the book.


> * platitudes like ["don't break the web"] often make me nervous ("patriot act" "no child
> left behind" --- it seems like they usually have just the opposite effect)

DS:Why do you hate our troops, David?

Spoken like a true hippy, Doug. 

cheers
D
Received on Saturday, 4 April 2009 14:47:55 UTC