Re: [CSP] SVG-in-img implementation difference

On 4/23/2014 9:01 AM, Mike West wrote:
> I'm not sure I follow what you're not following. :)
>
> Ted's initial question was, as I understand it, "Should images loaded
> inside an SVG document loaded as an image be subject to the policy
> served with the SVG document itself, or to the policy from the page
> that loaded the SVG document as an image."
>
That's not quite correct, the question was "should the policy of a
document apply to an SVG document loaded via <img>". In this case the
document contains <img src="img.svg">, and the document's policy
prevented inline style attributes, which made inline style in the SVG
document not apply.

> My answer is that the page's policy should apply: if the SVG document
> wants to load an image, it should only be allowed to do so if the page
> could load an image.
>

I can see the argument either way here, honestly, especially when the
policy for the page and the SVG document are different (as they were in
this case).

-Ted

Received on Wednesday, 23 April 2014 14:58:28 UTC