W3C home > Mailing lists > Public > public-html@w3.org > January 2008

Re: img issue: should we restrict the URI

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 30 Jan 2008 11:37:20 +0100
To: "David Dailey" <david.dailey@sru.edu>
Cc: "HTML WG" <public-html@w3.org>
Message-ID: <op.t5qnsii264w2qv@annevk-t60.oslo.opera.com>

On Tue, 29 Jan 2008 16:34:14 +0100, David Dailey <david.dailey@sru.edu>  
wrote:
> I would agree. Since the types of things that are supported by <img> are  
> not specified, then allowing authors to know some boundaries on what to  
> expect makes sense. While I am not sure what problems we would have by  
> having scripts running inside <img> that we would not already have with  
> scripts running inside <object> or <iframe>, I'm willing to believe that  
> there probably are reasons (see speculation in last paragraph below).

I thought this was already clear, but I'll try to explain. Say you have a  
site david.example.org and you allow your users to post <img> elements to  
your website so they can share their PNG, JPG etc. The underlying  
assumption here is that images are safe and apart from being very big in  
size can't really do much harm to your website. But if images can suddenly  
execute script there are a lot of potential issues, such as cookie theft,  
denial of service attacks, etc.

Sites today assume that <img> is safe. Making <img> unsafe like <object>  
and <iframe> would create security problems all over the Web.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 30 January 2008 10:34:23 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:29 UTC