W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: Fetching contexts

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sun, 23 Jun 2013 08:57:53 -0400
Message-ID: <51C6F0D1.10202@mit.edu>
To: Adam Barth <w3c@adambarth.com>
CC: Anne van Kesteren <annevk@annevk.nl>, Gordon Hemsley <me@gphemsley.org>, WebAppSec WG <public-webappsec@w3.org> 
On 6/23/13 1:03 AM, Adam Barth wrote:
> It depends on how you load SVG.  If you use <img src="foo.svg">, then
> it's covered by the img-src directive.  If you use <iframe
> src="foo.svg">, then it's frame-src.  If you use <object
> data="foo.svg">, then it's object-src.

We're talking specifically about SVG resource documents, not any of 
those.  So filter(url) and company.

-Boris
Received on Sunday, 23 June 2013 12:58:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC