I'm not sure I follow what you're not following. :) Ted's initial question was, as I understand it, "Should images loaded inside an SVG document loaded as an image be subject to the policy served with the SVG document itself, or to the policy from the page that loaded the SVG document as an image." My answer is that the page's policy should apply: if the SVG document wants to load an image, it should only be allowed to do so if the page could load an image. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Wed, Apr 23, 2014 at 2:36 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Wed, Apr 23, 2014 at 2:32 PM, Mike West <mkwst@google.com> wrote: > > If we want 'img-src' to restrict a page's ability to reference a GIF, > then > > that restriction should apply regardless of whether the GIF is pulled in > via > > <img> directly or indirectly. > > I'm not sure I follow what you're saying or how it relates to what I wrote. > > > -- > http://annevankesteren.nl/ >
Received on Wednesday, 23 April 2014 13:02:15 UTC