W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: img-src and inline <svg>

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sun, 27 Jul 2014 13:12:47 +0200
Message-ID: <CADnb78jfcM8y1A+PsE9rsc3FTnXdj9NO_u1cTXG4ghF0uZfGpg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jul 25, 2014 at 9:53 PM, Brad Hill <hillbrad@gmail.com> wrote:
> Should we require 'unsafe-inline' in img-src to allow inline SVG to be rendered?


Inline SVG is no different from HTML. The "3.6 Policy applicability"
section is super confusing I think when it comes to how all these
things fit together. "Inline" SVG is completely different from <img
src=svg> or HTML fetched through XMLHttpRequest.

Received on Sunday, 27 July 2014 11:13:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC