- From: Felix Becker via GitHub <sysbot+gh@w3.org>
- Date: Wed, 09 Dec 2020 11:20:53 +0000
- To: public-css-archive@w3.org
I am a bit confused why the security concern is a blocker for `<iframe>`, when `<object>` already does this (at least when embedding an SVG, even cross-origin). `<iframe>`s are a lot more secure because they have attributes like `sandbox` and `csp`, which `<object>` does not. So currently we are forced to use `<object>` to embed SVGs in a responsive, accessible, interactive way (`<img>` doesn't expose contents to screen readers, make links clickable or text selectable) with no way to disallow scripts in SVG to run. Having iframe resizing would therefor be an _improvement_ to security in my eyes because it stops forcing us to use less secure alternatives. -- GitHub Notification of comment by felixfbecker Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1771#issuecomment-741708360 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 9 December 2020 11:20:56 UTC