- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Mon, 15 Aug 2016 17:16:14 -0700
- To: Doug Schepers <schepers@w3.org>
- Cc: "Patrick H. Lauke" <redux@splintered.co.uk>, David Dailey <ddailey@zoominternet.net>, Amelia Bellamy-Royds <amelia.bellamy.royds@gmail.com>, Rich Morin <rdm@cfcl.com>, w3c-wai-ig@w3.org, Nikos Andronikos <Nikos.Andronikos@cisra.canon.com.au>, www-svg <www-svg@w3.org>
On Mon, Aug 15, 2016 at 3:16 PM, Doug Schepers <schepers@w3.org> wrote: > Hi, Tab, Patrick– > > On 8/15/16 5:10 PM, Tab Atkins Jr. wrote: >> >> On Sat, Aug 13, 2016 at 2:49 AM, Patrick H. Lauke wrote: >>> >>> On 13/08/2016 05:50, Doug Schepers wrote: >>>> >>>> I'd like to hear a more concrete explanation of why interactivity >>>> in <img> must be disallowed. > > ... >>> >>> *IF* you wanted to add something interactive inside an <img>, >>> you'dneed to signal this with at least >>> the addition of a different role="..." attribute >>> (and then change user agent behavior, which would assume <img> is >>> non-interactive, so presumably doesn't cater for focusability >>> etc). >>> But this still feels like a conceptual stretch... >> >> >> Yup! And it's a completely *unnecessary* stretch, because HTML >> *already* has elements that indicate interactive embedding of >> resources: <iframe> and <object>! There's zero need to fiddle with >> <img>'s semantics. > > If you'll read the original thread, you'll see that the issue is more > subtle than that. > > Many sites and services only use <img> because it bypasses the security > problems that using <object> or <iframe> would introduce. > > In terms of user-expected behavior, most users are familiar with image > maps, where there is interactivity (specifically, link navigation); to > them, it doesn't matter if the link is specified in the HTML file or the > image file, they only know the UI behavior. Similarly, CSS ::hover > effects seem like interactivity on the image to users. > > Allowing certain kinds of interactivity in <img>, such as link > navigation or declarative animation (like ::hover) or text selection, > but not script execution, would continue to match user and author > expectations about security and behavior, while also allowing more > interesting options for SVG images. Note that "link navigation" is also potentially a security-conscious behavior that sites might want to restrict, or at least would be surprised if it was suddenly allowed. <iframe sandbox> gives you guaranteed-safe SVG embedding, *and* lets you more granularly shut down or enable a few more behaviors from the defaults. Using either <img> (for static images) or <iframe sandbox> (for interactive images/documents) as you feel appropriate should be all we need. ~TJ
Received on Tuesday, 16 August 2016 00:17:04 UTC