W3C home > Mailing lists > Public > public-html@w3.org > January 2008

Re: img issue: should we restrict the URI

From: Jeff Schiller <codedread@gmail.com>
Date: Fri, 25 Jan 2008 11:26:35 -0600
Message-ID: <da131fde0801250926t43eb2a96l2d120a0ca94f2f0e@mail.gmail.com>
To: "Boris Zbarsky" <bzbarsky@mit.edu>
Cc: "Dr. Olaf Hoffmann" <Dr.O.Hoffmann@gmx.de>, public-html@w3.org

Boris,

That is  exactly why I started this thread [1].  Unfortunately it got
somewhat derailed by the <img> "deprecation" suggestion.  The bottom
line is there is very few web pages out there that do not use the
<img> tag - it isn't going anywhere. So we need to specify what it
means in a backward-compatible way.

I would like to specify what an "image" means to HTML.

At the very least, I would suggest that an image is non-interactive in
both the user and the user-agent sense.

Whether or not script should be allowed to run inside an "image" (like
SVG) is another question that I would like to bring to the forefront.
.There might be some arguments to allow scripts to run inside images.
For instance:  an image may want to reflect the current time of day...
 But so far I haven't come up with any convincing arguments to allow
this.  If the author wants some scriptability, they can always use
<object>

So can we consider specifying that images are both non-interactive and
must not be allowed to run scripts?

Regards,
Jeff

[1] http://lists.w3.org/Archives/Public/public-html/2008Jan/0217.html
On 1/25/08, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>
> Dr. Olaf Hoffmann wrote:
> > I think, these problems show mainly, that the img element
> > of html is outdated since the object element was introduced.
>
> The two have very different behavior from a security perspective.  In
> particular, the content of an <img> is guaranteed to be static content in the
> sense that it won't run JavaScript (though I do wonder how Opera's SVG and
> Safari's PDF handling play there; I would hope they disable JavaScript when
> embedding SVG and PDF via <img>).  <object> carries no such security guarantee;
> quite the contrary.
>
> Now this guarantee is not spelled out in the HTML4 specification, of course.
> But it has been provided by all UAs for a number of years now, and it's widely
> relied on by content.
>
> In fact, it would make a lot of sense to specify this guarantee in HTML5...
>
> -Boris
>
>
Received on Friday, 25 January 2008 17:26:46 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:29 UTC