- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 23 Apr 2014 15:19:57 +0200
- To: Mike West <mkwst@google.com>
- Cc: Ted Mielczarek <ted@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Apr 23, 2014 at 3:01 PM, Mike West <mkwst@google.com> wrote: > Ted's initial question was, as I understand it, "Should images loaded inside > an SVG document loaded as an image be subject to the policy served with the > SVG document itself, or to the policy from the page that loaded the SVG > document as an image." > > My answer is that the page's policy should apply: if the SVG document wants > to load an image, it should only be allowed to do so if the page could load > an image. Right, and my answer is that CSP should not even come into play in the scenario where SVG is used as image as it should be as safe as any other content referenced from <img>. -- http://annevankesteren.nl/
Received on Wednesday, 23 April 2014 13:20:24 UTC