W3C home > Mailing lists > Public > public-svg-ig@w3.org > April to June 2009

Re: Progress on SVG book -- question concerning <embed> vs <object> in HTML

From: Jeff Schiller <codedread@gmail.com>
Date: Sat, 4 Apr 2009 07:59:21 -0500
Message-ID: <da131fde0904040559n7141b100i82ba32ee951698aa@mail.gmail.com>
To: Doug Schepers <schepers@w3.org>
Cc: "Dailey, David P." <david.dailey@sru.edu>, SVG IG List <public-svg-ig@w3.org>, jferrai@us.ibm.com
On Sat, Apr 4, 2009 at 3:09 AM, Doug Schepers <schepers@w3.org> wrote:
> Hi, David-
>
> Dailey, David P. wrote (on 4/3/09 3:57 PM):
>>
>> Way back when, <embed> was recommended by Adobe as the preferred way to
>> put SVG in HTML. [history as I understand it was that <object> plus
>> script introduced a security problem forcing Adobe to disable it]
>
> Hmmm... I don't recall this.  Was this a recent development?
>

Adobe's page http://www.adobe.com/svg/viewer/install/ says:

"Adobe recommends that you not use the OBJECT tag and instead use the
EMBED tag when embedding SVG in HTML pages"

My understanding was that it was really because IE handles EMBED
better than OBJECT.  I know that more recent versions of IE (7 and 8)
supposedly handle OBJECT in a more standards-compliant way, but I
haven't really experimented with IE and ASV in a long while.

My memory also dimly recalls something about executing scripts in
OBJECT vs. EMBED, but I'm afraid I can't remember the details.  Surely
there is some information still on http://wiki.svg.org/SVG_and_HTML ?

Regards,
Jeff

>
>> <object> is the “standards compliant” way (though I suspect HTML5 may
>> grandfather <embed> in, as a part of its “avoid breaking the web” *
>> design principle)
>
> Yes, it's back in (as Jeff notes).  I don't know the reason for not
> including it in the first place.  I am not sure it will be valid XHTML,
> though that might also come with X/HTML5.
>
>
>> In the book I’m trying to finish up, in order to get things working,
>> even in IE/ASV, I had chosen the one way of getting it to work
>> everywhere: <embed> as the recommendation. One of the reviewers (who
>> happens to be a friend) complained that “modern browsers” don’t need
>> that. So I am backpedaling a good bit on my previous recommendation. I
>> am not wishing though, to recommend that content developers all ignore
>> IE/ASV – that is a choice they should make of their own informed consent.
>
> There's also the <iframe> element, which I've mostly used for the past few
> years.  I talk about the various ways to embed SVG here:
>  http://www.schepers.cc/svg/blendups/embedding.html
>
> The SVG WG is planning to make a new spec, the SVG Integration module, which
> will go into more detail on the various ways to embed SVG.
>
>
>> Only two browsers (Opera and IE/ASV) provide robust support for filters
>> and SMIL and so forth, and so I really don’t want to encourage authors
>> to ignore one of the two browsers that actually does all this stuff
>> generally correctly.
>
> Actually, Firefox seems to be making good progress on filters for FF 3.5.
>
>
>> Anyhow, and regardless of the emotion that this topic may engender, I’m
>> interested in explaining the alternative use of
>>
>> <object id="E" type="image/svg+xml" data="ovals.svg" width="320"
>> height="240">
>>
>> <param name="src" value="ovals.svg">
>>
>> </object>
>>
>> as a way to trick IE/ASV into accepting <object> (and without disabling
>> script).
>>
>> My questions: 1. does the above still expose the user to the security
>> risk that Adobe was concerned about in the first place?
>>
>> If so advising this work-around would perhaps not be a good idea.
>
> I guess the thing to do would be to find out when and why they did this, see
> if there is a known exploit, and see if that still poses the same risk.
>
>
>> 2. Since <embed> works everywhere, why not recommend it? Is the only
>> reason not to that it is not a W3C standard? What do I tell our readers
>> who may not care if it’s a standard or not so long as it works?
>
> I have no problem recommending <embed>, <object>, or <iframe>.  In the
> future, <img> and CSS backgrounds should work across browsers, too (right
> now, only Opera seems to get it right, though Safari is not too bad,
> either... they still have CSS background issues, but hopefully that will get
> cleared up soon).
>
> This is something I hope Renesis works on as well.
>
>
>> * platitudes like that often make me nervous (“patriot act” “no child
>> left behind” --- it seems like they usually have just the opposite effect)
>
> Why do you hate our troops, David?
>
>
> Regards-
> -Doug Schepers
> W3C Team Contact, SVG and WebApps WGs
>
>
Received on Saturday, 4 April 2009 12:59:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:28:24 UTC