Re: img issue: should we restrict the URI from Boris Zbarsky on 2008-01-27 (public-html@w3.org from January 2008)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sun, 27 Jan 2008 12:38:10 -0600
To: "Dr. Olaf Hoffmann" <Dr.O.Hoffmann@gmx.de>
CC: public-html@w3.org
Message-ID: <479CCF92.1090802@mit.edu>

Dr. Olaf Hoffmann wrote:
> It is not noted, that this has influence on the interpretation of the SVG and
> I think, it should not have influence. The interpretation should depend
> on the content of the SVG document of course, not on the embedding
> document, else the author would have written another SVG document ;o)

You're assuming the author of the SVG document and the author of the embedding 
document are the same.  This is a bad assumption.

>> We're not talking about the user.  Running script in images would make
>> _websites_ vulnerable, not users.
> 
> If it depends on img or object, this looks like a bad design/interpretation
> of the img element, if a website is more vulnerable with an image inside
> img as with an image inside object.

It might be a bad design, but it's extremely common.

> I think, there were already some
> security or at least stability problems with illformed JPEGS (don't know
> details anymore) too in more than one browser...

You're once again confusing user security and website security.

The security issue here is that just because a website allows users to post 
images it might not actually want to allow them to run script.  If images can 
run script, this becomes a problem.

> Does HTML4 mention, that one of img or object has to be used to ensure
> specific security assumptions?

It does not, but there are so many things that are required for web 
compatibility and sane security behavior that HTML4 doesn't mention that this is 
a rather silly metric to use.

A better metric is whether something is a de-facto standard.  <img> being safe 
for a website to include is.

 > Does the HTML5 draft mention this usage as typically intended for security 
issues?

I'm saying that it should.

> Another problem of embedded documents (both for img or object) indeed
> is, that for example SVG documents 'eat' events.

The point is that an SVG document embedded via <img> should not do this.  Are 
there UAs that support SVG in <img> and have the SVG "eat" events?

For <object>, a solution that dispatches events to the parent document might be 
a good idea, not just for SVG but also for HTML, etc.

> Then the control about the
> desired behaviour is left to the author of the embedding document.

That's a reasonable approach, yes.  So I could be open for a way to have an SVG 
linked in via <img> but with scripting enabled, perhaps. But by default it 
should be disabled.

-Boris

Received on Sunday, 27 January 2008 18:37:54 UTC