- From: Geoffrey Sneddon via GitHub <sysbot+gh@w3.org>
- Date: Thu, 27 Oct 2016 22:11:37 +0000
- To: public-svg-issues@w3.org
> I thought the intent would be more clear from the forking suggestion, but the goal is to make `image/svg+xml` NEVER allow code execution. My intent was to get at how you intend on getting browser vendors to ship that (breaking) change? Browser vendors are unlikely to ship such a breaking change just because the spec has changed (over concern about how many SVGs will be broken as a result), and the security issue exists as long as browsers support script execution on `image/svg+xml`. Browser vendors are incredibly adverse to breaking content, and changing browsers is going to be far harder than changing the spec here. -- GitHub Notification of comment by gsnedders Please view or discuss this issue at https://github.com/w3c/svgwg/issues/266#issuecomment-256784723 using your GitHub account
Received on Thursday, 27 October 2016 22:11:43 UTC