W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: img-src and inline <svg>

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sun, 27 Jul 2014 13:12:47 +0200
Message-ID: <CADnb78jfcM8y1A+PsE9rsc3FTnXdj9NO_u1cTXG4ghF0uZfGpg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jul 25, 2014 at 9:53 PM, Brad Hill <hillbrad@gmail.com> wrote:
> Should we require 'unsafe-inline' in img-src to allow inline SVG to be rendered?

No.

Inline SVG is no different from HTML. The "3.6 Policy applicability"
section is super confusing I think when it comes to how all these
things fit together. "Inline" SVG is completely different from <img
src=svg> or HTML fetched through XMLHttpRequest.


-- 
http://annevankesteren.nl/
Received on Sunday, 27 July 2014 11:13:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC