- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sun, 27 Jan 2008 16:44:07 -0600
- To: liorean <liorean@gmail.com>
- CC: HTML WG <public-html@w3.org>
liorean wrote: > and expose no way of getting from the content to the embedding document Or to the browser UI. This is actually not so easy, possibly. It's certainly very failure-prone. If it's possible to specify and implement this sanely, it might be OK to allow script in the <img>. Things that would need to be specified, as a minimum: 1) Does the embedded content have a Window object? If so: 1a) window.parent: what is it? 1b) window.print() 1c) window.open(): should it work? 1d) window.location: should the embedded content be able to set it? 2) How are targeted form submits expected to happen? 3) Should form submits be allowed at all? 4) Should XMLHttpRequest be allowed? etc, etc. For what it's worth, I think the answers to all of the above should be some variant of "no" or "the operation shouldn't be allowed". That's a lot of special-casing to happen for SVG in <img>. > Only if the execution of those scripts depends on the embedding > website. Couldn't img elements simply run the script in a fully > isolated environment? If one came up with said hypothetical fully isolated environment, yes. I suspect it would be pretty difficult to author scripts for, but I might be wrng. -Boris
Received on Sunday, 27 January 2008 22:43:49 UTC