- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 25 Jan 2008 14:00:50 -0600
- To: "Dr. Olaf Hoffmann" <Dr.O.Hoffmann@gmx.de>
- CC: public-html@w3.org
Dr. Olaf Hoffmann wrote: > At least img is noted as a typical use case for SVG content for more than 6 > years, see: > SVG 1.0: http://www.w3.org/TR/2001/REC-SVG-20010904/concepts.html#UsageOptions > or 1.1: http://www.w3.org/TR/SVG11/concepts.html#UsageOptions Yes.... what did I write to contradict this? > Therefore it is no surprise, that an advanced general purpose browser starts > to implement this, even if the img element is not the best choice for authors. But in many cases it _is_. > Scripting was always a problem, inside HTML too for several reasons. Yes... > Obviously it gets even more interesting, if a plugin is used to display > something, having its own scripting support and security holes. Yes. > But typically the user can simply decide to switch scripting on or off We're not talking about the user. Running script in images would make _websites_ vulnerable, not users. > And to have the same functionality for only different named elements > simplifies the situation somehow - suspicious content can be anywhere Right now, linking to an untrusted image using <img> is not a security problem for a website. Linking using <object> is. Changing this is not something that is either feasible or, in my opinion, desirable. -Boris
Received on Friday, 25 January 2008 20:01:15 UTC