W3C home > Mailing lists > Public > w3c-wai-ig@w3.org > July to September 2016

Re: Interactive Images (was: SVG 2 review request)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Mon, 15 Aug 2016 17:16:14 -0700
Message-ID: <CAAWBYDD51x5pqY+V+qB8uCh+VMC77PBfudH78kcg0cOALFW98g@mail.gmail.com>
To: Doug Schepers <schepers@w3.org>
Cc: "Patrick H. Lauke" <redux@splintered.co.uk>, David Dailey <ddailey@zoominternet.net>, Amelia Bellamy-Royds <amelia.bellamy.royds@gmail.com>, Rich Morin <rdm@cfcl.com>, w3c-wai-ig@w3.org, Nikos Andronikos <Nikos.Andronikos@cisra.canon.com.au>, www-svg <www-svg@w3.org>
On Mon, Aug 15, 2016 at 3:16 PM, Doug Schepers <schepers@w3.org> wrote:
> Hi, Tab, Patrick–
>
> On 8/15/16 5:10 PM, Tab Atkins Jr. wrote:
>>
>> On Sat, Aug 13, 2016 at 2:49 AM, Patrick H. Lauke wrote:
>>>
>>> On 13/08/2016 05:50, Doug Schepers wrote:
>>>>
>>>> I'd like to hear a more concrete explanation of why interactivity
>>>> in <img> must be disallowed.
>
> ...
>>>
>>> *IF* you wanted to add something interactive inside an <img>,
>>> you'dneed to signal this with at least
>>>  the addition of a different role="..."  attribute
>>> (and then change user agent behavior, which would assume <img> is
>>> non-interactive, so presumably doesn't cater for focusability
>>> etc).
>>> But this still feels like a conceptual stretch...
>>
>>
>> Yup! And it's a completely *unnecessary* stretch, because HTML
>> *already* has elements that indicate interactive embedding of
>> resources: <iframe> and <object>!  There's zero need to fiddle with
>> <img>'s semantics.
>
> If you'll read the original thread, you'll see that the issue is more
> subtle than that.
>
> Many sites and services only use <img> because it bypasses the security
> problems that using <object> or <iframe> would introduce.
>
> In terms of user-expected behavior, most users are familiar with image
> maps, where there is interactivity (specifically, link navigation); to
> them, it doesn't matter if the link is specified in the HTML file or the
> image file, they only know the UI behavior. Similarly, CSS ::hover
> effects seem like interactivity on the image to users.
>
> Allowing certain kinds of interactivity in <img>, such as link
> navigation or declarative animation (like ::hover) or text selection,
> but not script execution, would continue to match user and author
> expectations about security and behavior, while also allowing more
> interesting options for SVG images.

Note that "link navigation" is also potentially a security-conscious
behavior that sites might want to restrict, or at least would be
surprised if it was suddenly allowed.

<iframe sandbox> gives you guaranteed-safe SVG embedding, *and* lets
you more granularly shut down or enable a few more behaviors from the
defaults.  Using either <img> (for static images) or <iframe sandbox>
(for interactive images/documents) as you feel appropriate should be
all we need.

~TJ
Received on Tuesday, 16 August 2016 00:17:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 16 August 2016 00:17:13 UTC