- From: Dimitri Glazkov <dglazkov@chromium.org>
- Date: Wed, 19 Jun 2013 11:05:08 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Simon Pieters <simonp@opera.com>, public-webapps <public-webapps@w3.org>, Hajime Morrita <morrita@google.com>
Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=22407 to track this. :DG< On Thu, May 16, 2013 at 9:39 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Wed, May 15, 2013 at 9:08 PM, Simon Pieters <simonp@opera.com> wrote: >> Case study: <img> was historically not capable of executing script from an >> external file. This lead to sites expecting <img> to be safe (e.g. allow >> untrusted comments to use <img>). When browsers wanted to support SVG in >> <img>, scripting had to be disabled in order to not break the assumption >> that <img> is safe. > > Further case-in-point: Hosting SVG same-origin is nevertheless still > very much a no-no as tricking the user into loading the file directly > will expose the user to said scripts. > > > -- > http://annevankesteren.nl/
Received on Wednesday, 19 June 2013 18:05:36 UTC