Re: img issue: should we restrict the URI

Jeff Schiller wrote:
> At the very least, I would suggest that an image is non-interactive in
> both the user and the user-agent sense.

That suggestion (including the phrasing) would make a lot of sense to me.

> Whether or not script should be allowed to run inside an "image" (like
> SVG) is another question that I would like to bring to the forefront.
> .There might be some arguments to allow scripts to run inside images.

If they were allowed to do this, they would need to be heavily sandboxed (e.g. 
not able to change any location.href values, not able to fire any DOM events on 
things outside the <img>, not able to have any DOM events leave the <img> via 
capture or whatnot, not able to perform network access, etc, etc).  At least I 
assume that's what "non-interactive in the user-agent sense" means.

> But so far I haven't come up with any convincing arguments to allow
> this.  If the author wants some scriptability, they can always use
> <object>


> So can we consider specifying that images are both non-interactive and
> must not be allowed to run scripts?

I would support that.


Received on Friday, 25 January 2008 17:32:28 UTC