Re: img issue: should we restrict the URI

liorean wrote:
> and expose no way of getting from the content to the embedding document

Or to the browser UI.

This is actually not so easy, possibly.  It's certainly very failure-prone.  If 
it's possible to specify and implement this sanely, it might be OK to allow 
script in the <img>.  Things that would need to be specified, as a minimum:

1) Does the embedded content have a Window object?  If so:
  1a) window.parent: what is it?
  1b) window.print()
  1c) window.open(): should it work?
  1d) window.location: should the embedded content be able to set it?
2) How are targeted form submits expected to happen?
3) Should form submits be allowed at all?
4) Should XMLHttpRequest be allowed?

etc, etc.

For what it's worth, I think the answers to all of the above should be some 
variant of "no" or "the operation shouldn't be allowed".  That's a lot of 
special-casing to happen for SVG in <img>.

> Only if the execution of those scripts depends on the embedding
> website. Couldn't img elements simply run the script in a fully
> isolated environment?

If one came up with said hypothetical fully isolated environment, yes.  I 
suspect it would be pretty difficult to author scripts for, but I might be wrng.

-Boris

Received on Sunday, 27 January 2008 22:43:49 UTC