W3C home > Mailing lists > Public > www-style@w3.org > January 2011

Re: [css3-images] image() function and file formats

From: Tantek Çelik <tantek@cs.stanford.edu>
Date: Tue, 18 Jan 2011 14:17:24 -0800
Message-ID: <AANLkTimzAfRG0O2PP3T_OXh6qjGoGEWMptpC2HPk2knq@mail.gmail.com>
To: "Tab Atkins Jr." <jackalmage@gmail.com>
Cc: www-style list <www-style@w3.org>
On Tue, Jan 18, 2011 at 13:37, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> The CSS3 Images spec
> <http://dev.w3.org/csswg/css3-images/#image-notation> defines the
> image() function, which allows authors to specify multiple images,
> representing the first one that doesn't give an error (that is, if the
> first one 404s or similar, the browser will instead fetch the second
> one in the list, etc.).
> Right now, the image() function has a form of light type-sniffing via
> the file extension, such that if the UA sees an image with an
> extension corresponding to a type of image the UA *knows* it doesn't
> support, it can skip trying to load the image altogether and just jump
> to the next image in the list.
> People have expressed concern that sniffing the image format via the
> file extension is unreliable and not a good practice.

RIght. Here's the citation (W3C TAG issue) you're looking for:


> I don't have a strong opinion on the matter -

then best to drop it.

> in theory, doesn't say anything about the file, but also
> that in practice most files have the correct extension for their type.

worse than that, file extension based assumptions lead to security
problems (because the "can/should I handle this" code is almost always
different than the actual "handle/display/execute this" code - check
bug databases of (nearly?) any browser for this - "here go display
this .jpg file" - "oh look, it actually looks like a script I should
execute" oops).

> I'm interested in implementor opinions here.  Is this type of sniffing
> okay?

In a spec, especially for new functionality, no.

If you choose to implement it for some sort of legacy/compat support,
be prepared to deal with all the bugs and security risks you'll
encounter as a result. Your (implementer) risk decision to make.

Better reason:

Make it consistent with previous similar multiple image URLs with
fallbacks properties. e.g. 'cursor'.



http://tantek.com/ - I made an HTML5 tutorial! http://tantek.com/html5
Received on Tuesday, 18 January 2011 22:18:40 UTC

This archive was generated by hypermail 2.4.0 : Monday, 23 January 2023 02:13:54 UTC