- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 10 Feb 2008 00:17:28 +0000 (UTC)
- To: Anne van Kesteren <annevk@opera.com>
- Cc: HTML WG <public-html@w3.org>
On Sat, 2 Feb 2008, Anne van Kesteren wrote: > > The section should be more clear what it means by image. Is that simply > a reference to the <img> element? I'm not sure to what you refer here. > Also, it should clearly distinguish between the origin for safe data: > URI images, and unsafe data: URI images. This to ensure <canvas> data is > round trippable for instance, but that we don't increase the attack > surface. Isn't this already done in the definition of "origin"? > A safe data: URI image is every <img> element where the image is > represented by a data: URI and where this URI was not obtained through a > single cross-site request. So <img src=data:...> is safe, but <img > src=http://cross-site.victim.com> which redirects upon fetching to a > data: URI is not. This seems already defined. Could you give examples of what you think the spec doesn't define? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 10 February 2008 00:17:39 UTC