W3C home > Mailing lists > Public > www-svg@w3.org > June 2010

Re: Announcement: Last Call WD of SVG 1.1 Second Edition

From: Robert O'Callahan <robert@ocallahan.org>
Date: Thu, 24 Jun 2010 22:03:15 +1200
Message-ID: <AANLkTimWu4Fa7OYa-WRYACvCBChvB5-eOiDCOFWLkncj@mail.gmail.com>
To: Erik Dahlstrom <ed@opera.com>
Cc: Doug Schepers <schepers@w3.org>, "www-svg@w3.org" <www-svg@w3.org>
On Thu, Jun 24, 2010 at 8:43 PM, Erik Dahlstrom <ed@opera.com> wrote:

> I think you'd need to be much more specific about what consitutes a
> "mixed-origin resource".
>

Yes.

It's probably easier to restrict based on what's loaded from a given
> document, not by what's actually used in that document.
>

Yes, definitely.


> A suggestion would be to clarify that if an svg:image references an svg
> resource it's treated the same as the raster image case when it comes to
> pointer-events.

And more specifically: there shall be no script execution in the referenced
> resource, and no interactivity inside the resource. Those restrictions are
> outlined in the SVG Integration module[1], and would map to either "Animated
> mode" (if we think animation is ok, like it is for html:img) or "Static
> mode".
>

Definitely.


> Another solution would be to always treat referenced svg images as in rule
> 1), and define a more advanced security model in a later version of the svg
> spec.
>

Rule 1 isn't enough. You need rule 2, or something like it, as well.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
Received on Thursday, 24 June 2010 10:03:44 GMT

This archive was generated by hypermail 2.3.1 : Friday, 8 March 2013 15:54:45 GMT