Re: img issue: should we restrict the URI

On Fri, 25 Jan 2008, Boris Zbarsky wrote:
> 
> [...] the content of an <img> is guaranteed to be static content in the 
> sense that it won't run JavaScript (though I do wonder how Opera's SVG 
> and Safari's PDF handling play there; I would hope they disable 
> JavaScript when embedding SVG and PDF via <img>).  <object> carries no 
> such security guarantee; quite the contrary.
> 
> Now this guarantee is not spelled out in the HTML4 specification, of 
> course. But it has been provided by all UAs for a number of years now, 
> and it's widely relied on by content.
> 
> In fact, it would make a lot of sense to specify this guarantee in 
> HTML5...

Done.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 30 July 2008 02:24:58 UTC