W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [CSP] SVG-in-img implementation difference

From: Ted Mielczarek <ted@mozilla.com>
Date: Wed, 23 Apr 2014 10:58:01 -0400
Message-ID: <5357D4F9.5070606@mozilla.com>
To: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 4/23/2014 9:01 AM, Mike West wrote:
> I'm not sure I follow what you're not following. :)
>
> Ted's initial question was, as I understand it, "Should images loaded
> inside an SVG document loaded as an image be subject to the policy
> served with the SVG document itself, or to the policy from the page
> that loaded the SVG document as an image."
>
That's not quite correct, the question was "should the policy of a
document apply to an SVG document loaded via <img>". In this case the
document contains <img src="img.svg">, and the document's policy
prevented inline style attributes, which made inline style in the SVG
document not apply.

> My answer is that the page's policy should apply: if the SVG document
> wants to load an image, it should only be allowed to do so if the page
> could load an image.
>

I can see the argument either way here, honestly, especially when the
policy for the page and the SVG document are different (as they were in
this case).

-Ted
Received on Wednesday, 23 April 2014 14:58:28 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 23 April 2014 14:58:29 UTC