Mozilla Foundation Security Advisory 2010-05

XSS hazard using SVG document and binary Content-Type

February 17, 2010
Georgi Guninski
Firefox, SeaMonkey
Fixed in
  • Firefox 3.0.18
  • Firefox 3.5.8
  • Firefox 3.6
  • SeaMonkey 2.0.3


Mozilla security researcher Georgi Guninski reported that when a SVG document which is served with Content-Type: application/octet-stream is embedded into another document via an <embed> tag with type="image/svg+xml", the Content-Type is ignored and the SVG document is processed normally. A website which allows arbitrary binary data to be uploaded but which relies on Content-Type: application/octet-stream to prevent script execution could have such protection bypassed. An attacker could upload a SVG document containing JavaScript as a binary file to a website, embed the SVG document into a malicous page on another site, and gain access to the script environment from the SVG-serving site, bypassing the same-origin policy.