- From: Dirk Schulze <dschulze@adobe.com>
- Date: Tue, 19 Aug 2014 04:48:31 +0000
- To: "khill@microsoft.com" <khill@microsoft.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, www-svg <www-svg@w3.org>
Hi, On Aug 19, 2014, at 12:00 AM, Kevin Hill <khill@microsoft.com> wrote: > For <object> and <embed> tags loading images, what directive(s) apply? The spec indicates that object-src is for plugins, and img-src is for images – it doesn’t describe what to do for images loaded through these elements. Here the current behaviors in some browsers: > · Chrome > o For <embed> or <object> to an SVG file, both the object-src and the frame-src directives are applied > o For <object> to a PNG file, no policy is applied (seems to be a bug) > · Firefox > o For <embed> or <object> to an SVG file, the object-src directive is applied > o For <object> to a PNG file, the object-src directive is applied > · IE > o For <embed> or <object> to an SVG file, frame-src directive is applied > o For <object> to a PNG file, the img-src directive is applied > > Since it isn’t clear we are not sure what to do, although it looks like using object-src is the likely avenue to take. I think the SVG WG would be interested in that question as well. Adding www-svg. Greetings, Dirk
Received on Tuesday, 19 August 2014 04:49:16 UTC