W3C home > Mailing lists > Public > public-html@w3.org > January 2008

Re: img issue: should we restrict the URI

From: liorean <liorean@gmail.com>
Date: Sun, 27 Jan 2008 20:35:17 +0100
Message-ID: <cee13aa30801271135r75f0b01dif83293060344e30c@mail.gmail.com>
To: "HTML WG" <public-html@w3.org>

> Dr. Olaf Hoffmann wrote:
> > It is not noted, that this has influence on the interpretation of the SVG and
> > I think, it should not have influence. The interpretation should depend
> > on the content of the SVG document of course, not on the embedding
> > document, else the author would have written another SVG document ;o)

On 27/01/2008, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> You're assuming the author of the SVG document and the author of the embedding
> document are the same.  This is a bad assumption.

Well that really depends on the exposed object model for SVG in img.
If img elements were specified in such a way that they don't pass
events through to content at all (something I wouldn't expect an
element that is intended to be non-interactive to do), and expose no
way of getting from the content to the embedding document and no other
interactive interfaces, I see no reason why not to allow scripts to
run in SVG in img.

> >> We're not talking about the user.  Running script in images would make
> >> _websites_ vulnerable, not users.
> > If it depends on img or object, this looks like a bad design/interpretation
> > of the img element, if a website is more vulnerable with an image inside
> > img as with an image inside object.
> It might be a bad design, but it's extremely common.

Only if the execution of those scripts depends on the embedding
website. Couldn't img elements simply run the script in a fully
isolated environment?
 --
David "liorean" Andersson
Received on Sunday, 27 January 2008 19:35:28 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:29 UTC