W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [CSP] SVG-in-img implementation difference

From: Ted Mielczarek <ted@mozilla.com>
Date: Wed, 23 Apr 2014 10:58:01 -0400
Message-ID: <5357D4F9.5070606@mozilla.com>
To: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 4/23/2014 9:01 AM, Mike West wrote:
> I'm not sure I follow what you're not following. :)
> Ted's initial question was, as I understand it, "Should images loaded
> inside an SVG document loaded as an image be subject to the policy
> served with the SVG document itself, or to the policy from the page
> that loaded the SVG document as an image."
That's not quite correct, the question was "should the policy of a
document apply to an SVG document loaded via <img>". In this case the
document contains <img src="img.svg">, and the document's policy
prevented inline style attributes, which made inline style in the SVG
document not apply.

> My answer is that the page's policy should apply: if the SVG document
> wants to load an image, it should only be allowed to do so if the page
> could load an image.

I can see the argument either way here, honestly, especially when the
policy for the page and the SVG document are different (as they were in
this case).

Received on Wednesday, 23 April 2014 14:58:28 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 13:26:36 UTC