- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 29 Jan 2009 13:29:28 -0800
- To: Marcos Caceres <marcosscaceres@gmail.com>
- CC: Doug Schepers <schepers@w3.org>, Boris Zbarsky <bzbarsky@mit.edu>, public-webapps <public-webapps@w3.org>
Marcos Caceres wrote: > Hi Doug, > > On Thu, Jan 29, 2009 at 5:28 PM, Doug Schepers <schepers@w3.org> wrote: >> Hi, Marcos- >> >> Marcos Caceres wrote (on 1/29/09 7:53 AM): >>> On Wed, Jan 28, 2009 at 6:59 PM, Doug Schepers <schepers@w3.org> wrote: >>> >>>> I think that rather than specifying a particular spec or profile, the >>>> Widgets spec should instead reference a feature set that is appropriate >>>> for use as a icon. >>> Ok, we want to keep this as the authoring level as to not force >>> implementations to have to ship with stripped down SVG renderers. >> I'm not sure I agree. I think for security reasons, we should tell >> implementors how to treat SVG icons (no script, no interactivity). They >> won't have to strip down the SVG viewer, just set up constraints (which >> they need to do anyway). > > Ok, I tend to agree with you that this may be what needs to happen. > However, I think this was what Boris was saying we should try to > avoid. Boris, any thoughts? comments? Disabling features for security reasons is something that I'm all for. I've always had a funny feeling that that <svg:use> guy is up to no good! We should disable him promptly! ;) Seriously though. Disabling scripting is something we should definitely do. We haven't yet added support to gecko to truly treat SVG as images, i.e. you can't point an <img> or a css background on an SVG image. But once we do implement that, we plan on running it in a mode where all forms of scripting is disabled. We should recommend, or require, that this happens for for the icon as well. This is however very different from running it in a context where sets of elements are disabled to match closer the SVG Tiny 1.2 specification. / Jonas
Received on Thursday, 29 January 2009 21:30:19 UTC