W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: Fetching contexts

From: Dirk Schulze <dschulze@adobe.com>
Date: Sun, 23 Jun 2013 08:17:18 -0700
To: Boris Zbarsky <bzbarsky@MIT.EDU>
CC: Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@annevk.nl>, Gordon Hemsley <me@gphemsley.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <E356B0AD-B66C-4A74-8378-E45E8DC4DDC0@adobe.com>

On Jun 23, 2013, at 5:57 AM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:

> On 6/23/13 1:03 AM, Adam Barth wrote:
>> It depends on how you load SVG.  If you use <img src="foo.svg">, then
>> it's covered by the img-src directive.  If you use <iframe
>> src="foo.svg">, then it's frame-src.  If you use <object
>> data="foo.svg">, then it's object-src.
> 
> We're talking specifically about SVG resource documents, not any of 
> those.  So filter(url) and company.

I think it makes absolutely sense to to use style-src here. Of course we need to define the fetching for these resources. The SVG WG decided that the SVG Integration spec will take care of it. A lot of work is still needed on this spec and help / suggestions are more than welcome.

Greetings,
Dirk


> 
> -Boris
> 
Received on Sunday, 23 June 2013 15:17:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC