Filed an issue to address this particular concern.
Thanks joepie91 for finding the folks responsible and getting the conversation started.
Currently, SVG is a security foot-cannon that allows attackers to upload a Stored XSS payload when a user views the image directly. Example.
Specifically, you can include JavaScript in an SVG document, and it will execute in all browsers if accessed directly.
This is contrary to what developers expect from a MIME type that begins with image/.
I'd like to propose:
- That the current use of SVG be moved to
application/svg+xml
- If we are to have an
image/svg+xml
MIME type, then clients MUST not allow JavaScript (or any other code execution)
Thank you for your time.
This is posted publicly because when I tried to email them as indicated on this page, I got this:
Yeah, no.