- From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
- Date: Fri, 17 Jun 2022 21:55:55 +0000
- To: public-css-archive@w3.org
Yeah, we can't introduce a new communication channel to cross-origin iframes, so the preference can't trickle down *everywhere*. It def should go down origins that can communicate, tho. But #7213 does bring up the point that SVG-as-image can't run script *or* load external resources, so it shouldn't be able to exfiltrate any information. Whatever we do, we should match there. -- GitHub Notification of comment by tabatkins Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/6517#issuecomment-1159255330 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 17 June 2022 21:55:57 UTC