html5/spec Overview.html,1.1268,1.1269 from Ian Hickson via cvs-syncmail on 2008-08-21 (public-html-commits@w3.org from August 2008)

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Thu, 21 Aug 2008 10:06:34 +0000
To: public-html-commits@w3.org
Message-Id: <E1KW73q-0004XL-Pf@lionel-hutz.w3.org>

Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv16944

Modified Files:
	Overview.html 
Log Message:
Make it impossible for an SVG file not labelled as SVG to be sniffed as a valid image in <img> (that would allow privilege escalation), but do allow a correctly-labelled SVG to be processed as such. (whatwg r2096)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.1268
retrieving revision 1.1269
diff -u -d -r1.1268 -r1.1269
--- Overview.html	21 Aug 2008 09:54:28 -0000	1.1268
+++ Overview.html	21 Aug 2008 10:06:32 -0000	1.1269
@@ -5744,9 +5744,6 @@
      either "text/xml" or "application/xml", then the sniffed type of the
      resource is <var title="">official type</var>; return that and abort
      these steps.
-   </li>
-   <!-- we don't want
-   image/svg+xml going through the next step -->
 
    <li>
     <p>If <var title="">official type</var> is an image type supported by the
@@ -6207,10 +6204,14 @@
   <h4 id=content-type3><span class=secno>2.7.5 </span><dfn
    id=content-type8>Content-Type sniffing: image</dfn></h4>
 
-  <p>If the first bytes of the resource match one of the byte sequences in
-   the first column of the following table, then the sniffed type of the
-   resource is the type given in the corresponding cell in the second column
-   on the same row:
+  <p>If the resource's <var title="">official type</var> is "image/svg+xml",
+   then the sniffed type of the resource is its <var title="">official
+   type</var> (an XML type).
+
+  <p>Otherwise, if the first bytes of the resource match one of the byte
+   sequences in the first column of the following table, then the sniffed
+   type of the resource is the type given in the corresponding cell in the
+   second column on the same row:
 
   <table>
    <thead>
@@ -16085,7 +16086,10 @@
    title="Content-Type sniffing: image">image sniffing rules</a> to determine
    the type of the image, with the image's <a href="#content-type5"
    title=Content-Type>associated Content-Type headers</a> giving the <var
-   title="">official type</var>.
+   title="">official type</var>. If these rules are not applied, then the
+   type of the image must be the type given by the image's <a
+   href="#content-type5" title=Content-Type>associated Content-Type
+   headers</a>.
 
   <p>User agents must not support non-image resources with the <code><a
    href="#img">img</a></code> element (e.g. XML files whose root element is

Received on Thursday, 21 August 2008 10:07:08 UTC