Re: [svgwg] SVG MIME Type (image/svg+xml) is misleading to developers from Geoffrey Sneddon via GitHub on 2016-10-27 (public-svg-issues@w3.org from October 2016)

From: Geoffrey Sneddon via GitHub <sysbot+gh@w3.org>
Date: Thu, 27 Oct 2016 22:11:37 +0000
To: public-svg-issues@w3.org
Message-ID: <issue_comment.created-256784723-1477606295-sysbot+gh@w3.org>

> I thought the intent would be more clear from the forking 
suggestion, but the goal is to make `image/svg+xml` NEVER allow code 
execution.

My intent was to get at how you intend on getting browser vendors to 
ship that (breaking) change? Browser vendors are unlikely to ship such
 a breaking change just because the spec has changed (over concern 
about how many SVGs will be broken as a result), and the security 
issue exists as long as browsers support script execution on 
`image/svg+xml`. Browser vendors are incredibly adverse to breaking 
content, and changing browsers is going to be far harder than changing
 the spec here.

-- 
GitHub Notification of comment by gsnedders
Please view or discuss this issue at 
https://github.com/w3c/svgwg/issues/266#issuecomment-256784723 using 
your GitHub account

Received on Thursday, 27 October 2016 22:11:43 UTC