Re: Fetching contexts from Dirk Schulze on 2013-06-23 (public-webappsec@w3.org from June 2013)

From: Dirk Schulze <dschulze@adobe.com>
Date: Sun, 23 Jun 2013 08:17:18 -0700
To: Boris Zbarsky <bzbarsky@MIT.EDU>
CC: Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@annevk.nl>, Gordon Hemsley <me@gphemsley.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <E356B0AD-B66C-4A74-8378-E45E8DC4DDC0@adobe.com>

On Jun 23, 2013, at 5:57 AM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:

> On 6/23/13 1:03 AM, Adam Barth wrote:
>> It depends on how you load SVG.  If you use <img src="foo.svg">, then
>> it's covered by the img-src directive.  If you use <iframe
>> src="foo.svg">, then it's frame-src.  If you use <object
>> data="foo.svg">, then it's object-src.
> 
> We're talking specifically about SVG resource documents, not any of 
> those.  So filter(url) and company.

I think it makes absolutely sense to to use style-src here. Of course we need to define the fetching for these resources. The SVG WG decided that the SVG Integration spec will take care of it. A lot of work is still needed on this spec and help / suggestions are more than welcome.

Greetings,
Dirk

> 
> -Boris
>

Received on Sunday, 23 June 2013 15:17:46 UTC