W3C home > Mailing lists > Public > public-html@w3.org > January 2008

Re: img issue: should we restrict the URI

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 29 Jan 2008 09:42:09 -0600
Message-ID: <479F4951.70103@mit.edu>
To: David Dailey <david.dailey@sru.edu>
CC: Jeff Schiller <codedread@gmail.com>, Anne van Kesteren <annevk@opera.com>, liorean <liorean@gmail.com>, HTML WG <public-html@w3.org>

David Dailey wrote:
> While I am not sure what problems we would have by 
> having scripts running inside <img> that we would not already have with 
> scripts running inside <object> or <iframe>

The problem is simple:  Authors expect script to run in <object>/<iframe> and 
take precautions.  They don't expect it in <img> and don't take precautions.  As 
a result, suddenly allowing script in <img> would make sites exploitable.

-Boris
Received on Tuesday, 29 January 2008 15:42:20 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:29 UTC