- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 23 Apr 2014 14:29:46 +0200
- To: Mike West <mkwst@google.com>
- Cc: Ted Mielczarek <ted@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Apr 23, 2014 at 2:22 PM, Mike West <mkwst@google.com> wrote: > This is especially relevant for scripting restrictions; I believe script > executes in an SVG document in the same execution context as the document > the SVG was included in. Given that, we'd certainly want to ensure that the > _page's_ 'script-src' directive applied. Well, SVG-as-image should not execute script to begin with. Part of the problem here is that the SVG-as-image concept is not very well defined. Given that SVG-as-image resources are already meant to be "safe" (no more dangerous than referencing a GIF) I do not see any reason why CSP would be applicable to it. -- http://annevankesteren.nl/
Received on Wednesday, 23 April 2014 12:30:13 UTC