- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 16 May 2013 17:39:37 +0100
- To: Simon Pieters <simonp@opera.com>
- Cc: Dimitri Glazkov <dglazkov@chromium.org>, public-webapps <public-webapps@w3.org>, Hajime Morrita <morrita@google.com>
On Wed, May 15, 2013 at 9:08 PM, Simon Pieters <simonp@opera.com> wrote: > Case study: <img> was historically not capable of executing script from an > external file. This lead to sites expecting <img> to be safe (e.g. allow > untrusted comments to use <img>). When browsers wanted to support SVG in > <img>, scripting had to be disabled in order to not break the assumption > that <img> is safe. Further case-in-point: Hosting SVG same-origin is nevertheless still very much a no-no as tricking the user into loading the file directly will expose the user to said scripts. -- http://annevankesteren.nl/
Received on Thursday, 16 May 2013 16:40:10 UTC