Re: Fetching contexts from Boris Zbarsky on 2013-06-23 (public-webappsec@w3.org from June 2013)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sun, 23 Jun 2013 08:57:53 -0400
To: Adam Barth <w3c@adambarth.com>
CC: Anne van Kesteren <annevk@annevk.nl>, Gordon Hemsley <me@gphemsley.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <51C6F0D1.10202@mit.edu>

On 6/23/13 1:03 AM, Adam Barth wrote:
> It depends on how you load SVG.  If you use <img src="foo.svg">, then
> it's covered by the img-src directive.  If you use <iframe
> src="foo.svg">, then it's frame-src.  If you use <object
> data="foo.svg">, then it's object-src.

We're talking specifically about SVG resource documents, not any of 
those.  So filter(url) and company.

-Boris

Received on Sunday, 23 June 2013 12:58:25 UTC