Re: Progress on SVG book -- question concerning <embed> vs <object> in HTML

Hi, David-

Dailey, David P. wrote (on 4/3/09 3:57 PM):
> Way back when, <embed> was recommended by Adobe as the preferred way to
> put SVG in HTML. [history as I understand it was that <object> plus
> script introduced a security problem forcing Adobe to disable it]

Hmmm... I don't recall this.  Was this a recent development?

I know that <object> used to crash some browsers, like Safari, which is 
why we hesitated using it a while back.  But it seems to work well in 
Opera, Firefox, and Safari now.

> <object> is the “standards compliant” way (though I suspect HTML5 may
> grandfather <embed> in, as a part of its “avoid breaking the web” *
> design principle)

Yes, it's back in (as Jeff notes).  I don't know the reason for not 
including it in the first place.  I am not sure it will be valid XHTML, 
though that might also come with X/HTML5.

> In the book I’m trying to finish up, in order to get things working,
> even in IE/ASV, I had chosen the one way of getting it to work
> everywhere: <embed> as the recommendation. One of the reviewers (who
> happens to be a friend) complained that “modern browsers” don’t need
> that. So I am backpedaling a good bit on my previous recommendation. I
> am not wishing though, to recommend that content developers all ignore
> IE/ASV – that is a choice they should make of their own informed consent.

There's also the <iframe> element, which I've mostly used for the past 
few years.  I talk about the various ways to embed SVG here:

The SVG WG is planning to make a new spec, the SVG Integration module, 
which will go into more detail on the various ways to embed SVG.

> Only two browsers (Opera and IE/ASV) provide robust support for filters
> and SMIL and so forth, and so I really don’t want to encourage authors
> to ignore one of the two browsers that actually does all this stuff
> generally correctly.

Actually, Firefox seems to be making good progress on filters for FF 3.5.

> Anyhow, and regardless of the emotion that this topic may engender, I’m
> interested in explaining the alternative use of
> <object id="E" type="image/svg+xml" data="ovals.svg" width="320"
> height="240">
> <param name="src" value="ovals.svg">
> </object>
> as a way to trick IE/ASV into accepting <object> (and without disabling
> script).
> My questions: 1. does the above still expose the user to the security
> risk that Adobe was concerned about in the first place?
> If so advising this work-around would perhaps not be a good idea.

I guess the thing to do would be to find out when and why they did this, 
see if there is a known exploit, and see if that still poses the same risk.

> 2. Since <embed> works everywhere, why not recommend it? Is the only
> reason not to that it is not a W3C standard? What do I tell our readers
> who may not care if it’s a standard or not so long as it works?

I have no problem recommending <embed>, <object>, or <iframe>.  In the 
future, <img> and CSS backgrounds should work across browsers, too 
(right now, only Opera seems to get it right, though Safari is not too 
bad, either... they still have CSS background issues, but hopefully that 
will get cleared up soon).

This is something I hope Renesis works on as well.

> * platitudes like that often make me nervous (“patriot act” “no child
> left behind” --- it seems like they usually have just the opposite effect)

Why do you hate our troops, David?

-Doug Schepers
W3C Team Contact, SVG and WebApps WGs

Received on Saturday, 4 April 2009 08:09:21 UTC