- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 29 Jan 2008 09:42:09 -0600
- To: David Dailey <david.dailey@sru.edu>
- CC: Jeff Schiller <codedread@gmail.com>, Anne van Kesteren <annevk@opera.com>, liorean <liorean@gmail.com>, HTML WG <public-html@w3.org>
David Dailey wrote: > While I am not sure what problems we would have by > having scripts running inside <img> that we would not already have with > scripts running inside <object> or <iframe> The problem is simple: Authors expect script to run in <object>/<iframe> and take precautions. They don't expect it in <img> and don't take precautions. As a result, suddenly allowing script in <img> would make sites exploitable. -Boris
Received on Tuesday, 29 January 2008 15:42:20 UTC