W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [CSP] SVG-in-img implementation difference

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 23 Apr 2014 15:19:57 +0200
Message-ID: <CADnb78j+1Vd5uGM06NLpz2kBti8XDQOUt3jYsXHGNNA7auoFrA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Ted Mielczarek <ted@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Apr 23, 2014 at 3:01 PM, Mike West <mkwst@google.com> wrote:
> Ted's initial question was, as I understand it, "Should images loaded inside
> an SVG document loaded as an image be subject to the policy served with the
> SVG document itself, or to the policy from the page that loaded the SVG
> document as an image."
> My answer is that the page's policy should apply: if the SVG document wants
> to load an image, it should only be allowed to do so if the page could load
> an image.

Right, and my answer is that CSP should not even come into play in the
scenario where SVG is used as image as it should be as safe as any
other content referenced from <img>.

Received on Wednesday, 23 April 2014 13:20:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC