- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 30 Jul 2008 02:24:22 +0000 (UTC)
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: "Dr. Olaf Hoffmann" <Dr.O.Hoffmann@gmx.de>, public-html@w3.org
On Fri, 25 Jan 2008, Boris Zbarsky wrote: > > [...] the content of an <img> is guaranteed to be static content in the > sense that it won't run JavaScript (though I do wonder how Opera's SVG > and Safari's PDF handling play there; I would hope they disable > JavaScript when embedding SVG and PDF via <img>). <object> carries no > such security guarantee; quite the contrary. > > Now this guarantee is not spelled out in the HTML4 specification, of > course. But it has been provided by all UAs for a number of years now, > and it's widely relied on by content. > > In fact, it would make a lot of sense to specify this guarantee in > HTML5... Done. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 30 July 2008 02:24:58 UTC