Re: img issue: should we restrict the URI

Dr. Olaf Hoffmann wrote:
> At least img is noted as a typical use case for SVG content for more than 6
> years, see:
> SVG 1.0: http://www.w3.org/TR/2001/REC-SVG-20010904/concepts.html#UsageOptions
> or 1.1: http://www.w3.org/TR/SVG11/concepts.html#UsageOptions

Yes.... what did I write to contradict this?

> Therefore it is no surprise, that an advanced general purpose browser starts
> to implement this, even if the img element is not the best choice for authors.

But in many cases it _is_.

> Scripting was always a problem, inside HTML too for several reasons.

Yes...

> Obviously it gets even more interesting, if a plugin is used to display
> something, having its own scripting support and security holes.

Yes.

> But typically the user can simply decide to switch scripting on or off

We're not talking about the user.  Running script in images would make 
_websites_ vulnerable, not users.

> And to have the same functionality for only different named elements
> simplifies the situation somehow - suspicious content can be anywhere

Right now, linking to an untrusted image using <img> is not a security 
problem for a website.  Linking using <object> is.  Changing this is not 
something that is either feasible or, in my opinion, desirable.

-Boris

Received on Friday, 25 January 2008 20:01:15 UTC