- From: Ted Mielczarek <ted@mozilla.com>
- Date: Wed, 23 Apr 2014 10:58:01 -0400
- To: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 4/23/2014 9:01 AM, Mike West wrote: > I'm not sure I follow what you're not following. :) > > Ted's initial question was, as I understand it, "Should images loaded > inside an SVG document loaded as an image be subject to the policy > served with the SVG document itself, or to the policy from the page > that loaded the SVG document as an image." > That's not quite correct, the question was "should the policy of a document apply to an SVG document loaded via <img>". In this case the document contains <img src="img.svg">, and the document's policy prevented inline style attributes, which made inline style in the SVG document not apply. > My answer is that the page's policy should apply: if the SVG document > wants to load an image, it should only be allowed to do so if the page > could load an image. > I can see the argument either way here, honestly, especially when the policy for the page and the SVG document are different (as they were in this case). -Ted
Received on Wednesday, 23 April 2014 14:58:28 UTC