Marcos Caceres wrote:
Hi Doug,
On Thu, Jan 29, 2009 at 5:28 PM, Doug Schepers <schep...@w3.org> wrote:
Hi, Marcos-
Marcos Caceres wrote (on 1/29/09 7:53 AM):
On Wed, Jan 28, 2009 at 6:59 PM, Doug Schepers <schep...@w3.org> wrote:
I think that rather than specifying a particular spec or profile, the
Widgets spec should instead reference a feature set that is appropriate
for use as a icon.
Ok, we want to keep this as the authoring level as to not force
implementations to have to ship with stripped down SVG renderers.
I'm not sure I agree. I think for security reasons, we should tell
implementors how to treat SVG icons (no script, no interactivity). They
won't have to strip down the SVG viewer, just set up constraints (which
they need to do anyway).
Ok, I tend to agree with you that this may be what needs to happen.
However, I think this was what Boris was saying we should try to
avoid. Boris, any thoughts? comments?
Disabling features for security reasons is something that I'm all for.
I've always had a funny feeling that that <svg:use> guy is up to no
good! We should disable him promptly! ;)
Seriously though. Disabling scripting is something we should definitely
do. We haven't yet added support to gecko to truly treat SVG as images,
i.e. you can't point an <img> or a css background on an SVG image. But
once we do implement that, we plan on running it in a mode where all
forms of scripting is disabled. We should recommend, or require, that
this happens for for the icon as well.
This is however very different from running it in a context where sets
of elements are disabled to match closer the SVG Tiny 1.2 specification.
/ Jonas
