Re: img-src and inline <svg> from Glenn Adams on 2014-07-27 (public-webappsec@w3.org from July 2014)

From: Glenn Adams <glenn@skynav.com>
Date: Sun, 27 Jul 2014 10:37:01 -0400
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CACQ=j+fOC__cqqthk4AYXvGk0H4sfL=R30yM_P2f2Hvyr-QykQ@mail.gmail.com>

On Sun, Jul 27, 2014 at 7:12 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Jul 25, 2014 at 9:53 PM, Brad Hill <hillbrad@gmail.com> wrote:
> > Should we require 'unsafe-inline' in img-src to allow inline SVG to be
> rendered?
>
> No.
>
> Inline SVG is no different from HTML. The "3.6 Policy applicability"
> section is super confusing I think when it comes to how all these
> things fit together. "Inline" SVG is completely different from <img
> src=svg> or HTML fetched through XMLHttpRequest.
>

I agree with Anne.


>
>
> --
> http://annevankesteren.nl/
>
>

Received on Sunday, 27 July 2014 14:37:49 UTC