W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

[MIX]: Can we distinguish between images loader via `<picture>`/`srcset` and `<img>`?

From: Mike West <mkwst@chromium.org>
Date: Mon, 30 Jun 2014 16:02:12 +0200
Message-ID: <CAKXHy=egiJC3gVdCLe552dPrv6j99-jmekMv=efqrybeXONPmQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Chris Palmer <palmer@google.com>, Brian Smith <brian@briansmith.org>, Tab Atkins <tabatkins@google.com>, simonp@opera.com, Yoav Weiss <yoav@yoav.ws>
It's going to be more or less impossible to begin blocking mixed `<img>`
content by default, given the amount of usage we're likely to see in the
wild (I'm still waiting for metrics from Chrome stable, but I'm not
hopeful). I think it will be significantly less impossible to avoid the
same mistake with the new responsive hotness.

I'd like to distinguish between images loaded via the plain old, boring
`<img>` tag, and images loaded by authors who have opted into The
Future(tm). I believe Brian suggested this in a previous thread, but I
can't find the link at the moment.

I had a quick chat with Yoav this afternoon, and we've got a tiny Blink
patch which changes behavior for `<picture>` and `srcset`. If other vendors
are interested in picking up changes along these lines, I'd love to add it
to the spec.


(CCing Tab and Simon and Yoav for responsive opinions :)).

Received on Monday, 30 June 2014 14:02:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC