- From: Anne van Kesteren <annevk@opera.com>
- Date: Sat, 02 Feb 2008 11:52:52 +0100
- To: "HTML WG" <public-html@w3.org>
The section should be more clear what it means by image. Is that simply a reference to the <img> element? Also, it should clearly distinguish between the origin for safe data: URI images, and unsafe data: URI images. This to ensure <canvas> data is round trippable for instance, but that we don't increase the attack surface. A safe data: URI image is every <img> element where the image is represented by a data: URI and where this URI was not obtained through a single cross-site request. So <img src=data:...> is safe, but <img src=http://cross-site.victim.com> which redirects upon fetching to a data: URI is not. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Saturday, 2 February 2008 10:49:30 UTC