- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Thu, 24 Jun 2010 22:03:15 +1200
- To: Erik Dahlstrom <ed@opera.com>
- Cc: Doug Schepers <schepers@w3.org>, "www-svg@w3.org" <www-svg@w3.org>
Received on Thursday, 24 June 2010 10:03:44 UTC
On Thu, Jun 24, 2010 at 8:43 PM, Erik Dahlstrom <ed@opera.com> wrote: > I think you'd need to be much more specific about what consitutes a > "mixed-origin resource". > Yes. It's probably easier to restrict based on what's loaded from a given > document, not by what's actually used in that document. > Yes, definitely. > A suggestion would be to clarify that if an svg:image references an svg > resource it's treated the same as the raster image case when it comes to > pointer-events. And more specifically: there shall be no script execution in the referenced > resource, and no interactivity inside the resource. Those restrictions are > outlined in the SVG Integration module[1], and would map to either "Animated > mode" (if we think animation is ok, like it is for html:img) or "Static > mode". > Definitely. > Another solution would be to always treat referenced svg images as in rule > 1), and define a more advanced security model in a later version of the svg > spec. > Rule 1 isn't enough. You need rule 2, or something like it, as well. Rob -- "He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]
Received on Thursday, 24 June 2010 10:03:44 UTC