W3C home > Mailing lists > Public > www-svg@w3.org > October 2003

Adobe plugin security fixes reccommend proprietary EMBED

From: David Woolley <david@djwhome.demon.co.uk>
Date: Mon, 13 Oct 2003 08:16:11 +0100 (BST)
Message-Id: <200310130716.h9D7GBC00848@djwhome.demon.co.uk>
To: www-svg@w3.org

On about Thursday last week, Adobe re-issued their SVG plugin with a
number of serious security flaws fixed.

In connection with one of the (lesser) flaws, they said that people
should use EMBED rather than OBJECT, and the wording suggested that it
was their standard advice to use proprietary HTML with their plugin;
there was no indication that EMBED was proprietory.  (The specific issue
is that they can apparently sense the effect of the user's policy on
scripting with EMBED, but not with OBJECT, so they have unconditionally
disabled scripting with OBJECT.)

Another news item last week throws serious doubt on the viability of
any plugin based option for SVG for use in non-scripted contexts (e.g.
as a replacement for GIF for straightforward line art images).  As
a work around for the EOLAS patent, IE will prompt every time before
running a plugin unless the resource is provided as a data: scheme URL,
or the object is initialised using DOM manipulation (by code from the
remote site).

(In respect of the last, I don't believe software patents create the
innovation that is the justification for governments having patent
laws.  In this case the innovation has been in ways of avoiding the
patent, but which are generally detrimental to the web; they have not
been in potentially better ways of achieving the same thing.)
Received on Monday, 13 October 2003 03:17:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:53:59 UTC