- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 25 Jan 2008 10:40:37 -0600
- To: "Dr. Olaf Hoffmann" <Dr.O.Hoffmann@gmx.de>
- CC: public-html@w3.org
Dr. Olaf Hoffmann wrote: > I think, these problems show mainly, that the img element > of html is outdated since the object element was introduced. The two have very different behavior from a security perspective. In particular, the content of an <img> is guaranteed to be static content in the sense that it won't run JavaScript (though I do wonder how Opera's SVG and Safari's PDF handling play there; I would hope they disable JavaScript when embedding SVG and PDF via <img>). <object> carries no such security guarantee; quite the contrary. Now this guarantee is not spelled out in the HTML4 specification, of course. But it has been provided by all UAs for a number of years now, and it's widely relied on by content. In fact, it would make a lot of sense to specify this guarantee in HTML5... -Boris
Received on Friday, 25 January 2008 16:40:17 UTC