Re: [CSP] SVG-in-img implementation difference

On Wed, Apr 23, 2014 at 2:22 PM, Mike West <mkwst@google.com> wrote:
> This is especially relevant for scripting restrictions; I believe script
> executes in an SVG document in the same execution context as the document
> the SVG was included in. Given that, we'd certainly want to ensure that the
> _page's_ 'script-src' directive applied.

Well, SVG-as-image should not execute script to begin with. Part of
the problem here is that the SVG-as-image concept is not very well
defined. Given that SVG-as-image resources are already meant to be
"safe" (no more dangerous than referencing a GIF) I do not see any
reason why CSP would be applicable to it.


-- 
http://annevankesteren.nl/

Received on Wednesday, 23 April 2014 12:30:13 UTC