- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Thu, 21 Oct 2010 12:36:54 +1300
- To: Jennifer Yu <Jennifer.Yu@microsoft.com>
- Cc: "www-svg@w3.org" <www-svg@w3.org>
Received on Wednesday, 20 October 2010 23:37:28 UTC
On Thu, Oct 21, 2010 at 11:59 AM, Jennifer Yu <Jennifer.Yu@microsoft.com>wrote: > If I have a server that hosts SVG, is there any way to prevent another > website from executing script embedded within the SVG on my server? > > > > The description of the HTML <img> tag allows a web author to prevent > externally-hosted SVG from executing script. I did not, however, find > mention of a way to prevent an external site from executing script within > SVG hosted on my server. If I want to treat SVG like another image format > and allow users to upload SVG images to my server, is there currently any > way to prevent script inside the uploaded SVG from executing? > No. The Web doesn't really support this. For example, any site can embed an <iframe> that loads a page from your site and runs script in it. We try to prevent the outer document from poking the inner document (with mixed success, see clickjacking). Rob -- "Now the Bereans were of more noble character than the Thessalonians, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true." [Acts 17:11]
Received on Wednesday, 20 October 2010 23:37:28 UTC