W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [CSP] SVG-in-img implementation difference

From: Mike West <mkwst@google.com>
Date: Wed, 23 Apr 2014 15:01:27 +0200
Message-ID: <CAKXHy=dS0i=TKBR1utaZgdjO=dQo+_eD+Kx5epyJh9HNtNwWCw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Ted Mielczarek <ted@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I'm not sure I follow what you're not following. :)

Ted's initial question was, as I understand it, "Should images loaded
inside an SVG document loaded as an image be subject to the policy served
with the SVG document itself, or to the policy from the page that loaded
the SVG document as an image."

My answer is that the page's policy should apply: if the SVG document wants
to load an image, it should only be allowed to do so if the page could load
an image.


Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Apr 23, 2014 at 2:36 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Apr 23, 2014 at 2:32 PM, Mike West <mkwst@google.com> wrote:
> > If we want 'img-src' to restrict a page's ability to reference a GIF,
> then
> > that restriction should apply regardless of whether the GIF is pulled in
> via
> > <img> directly or indirectly.
> I'm not sure I follow what you're saying or how it relates to what I wrote.
> --
> http://annevankesteren.nl/
Received on Wednesday, 23 April 2014 13:02:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC