Re: img issue: should we restrict the URI

Dr. Olaf Hoffmann wrote:
> I think, these problems show mainly, that the img element
> of html is outdated since the object element was introduced.

The two have very different behavior from a security perspective.  In 
particular, the content of an <img> is guaranteed to be static content in the 
sense that it won't run JavaScript (though I do wonder how Opera's SVG and 
Safari's PDF handling play there; I would hope they disable JavaScript when 
embedding SVG and PDF via <img>).  <object> carries no such security guarantee; 
quite the contrary.

Now this guarantee is not spelled out in the HTML4 specification, of course. 
But it has been provided by all UAs for a number of years now, and it's widely 
relied on by content.

In fact, it would make a lot of sense to specify this guarantee in HTML5...

-Boris

Received on Friday, 25 January 2008 16:40:17 UTC