Re: [ietf-types] Registration of media typeimage/svg+xml

["Martin J. Dürst" <duerst@it.aoyama.ac.jp>]

Hello Chris, others,

On 2010/11/19 7:52, Chris Lilley wrote:
> This is an updated registration request, incorporating some feedback
> from Ned Freed<ned.freed@mrochek.com>  and Julian Reschke<julian.reschke@gmx.de>

I agree with Ned and Julian. This registration now looks good to me, 
except for a little detail pointed out below.

As for why I was very uneasy with mentioning .svgz in the Mime Media 
Type registration of image/svg+xml, please see the following excerpt 
from a conversation between Larry Masinter and Henri Sivonen 
(http://lists.w3.org/Archives/Public/www-tag/2010Nov/0053.html):

 >>>>
 > What were the problems with image/svg+xml, image/jp2 and/or video/mp4?

The problem with image/svg+xml is that after a decade of deployment and 
W3C REC status, the type still isn't in the registry. Even if the IETF 
experts found something wrong with the type, it would be way too late to 
stop its deployment, so there's really no point in subjecting it to 
expert review at this point.
 >>>>

 >>>>
 > As for image/svg+xml not being used for 'XML' format. I think this is 
a 3023bis issue?

Do you mean sending gzipped data as image/svg+xml without 
Content-Encoding: gzip?
 >>>>

I concluded (I hope erroneously) that there was gzipped SVG content out 
there that was sent with a naked Content-Type: image/svg+xml, and that 
some people in the industry thought that that was just okay. It is very 
clear that it is not okay, and that the registry should not at all 
suggest that it would be okay.


> Type name:
>
>      image
>
> Subtype name:
>
>      svg+xml
>
> Required parameters:
>
>      None.
>
> Optional parameters:
>
>      charset
>
>      Same as application/xml media type, as specified in [RFC3023] or
>      it's successors.
>
> Encoding considerations:
>
>      Same as for application/xml. See [RFC3023], section 3.2 or it's
>      successors.
>
> Security considerations:
>
>      As with other XML types and as noted in [RFC3023] section 10,
>      repeated expansion of maliciously constructed XML entities can be
>      used to consume large amounts of memory, which may cause XML
>      processors in constrained environments to fail.
>
>      Several SVG elements may cause arbitrary URIs to be referenced. In
>      this case, the security issues of [RFC3986], section 7, should be
>      considered.
>
>      In common with HTML, SVG documents may reference external media
>      such as images, audio, video, style sheets, and scripting
>      languages. Scripting languages are executable content. In this
>      case, the security considerations in the Media Type registrations
>      for those formats shall apply.
>
>      In addition, because of the extensibility features for SVG and of
>      XML in general, it is possible that "image/svg+xml" may describe
>      content that has security implications beyond those described
>      here. However, if the processor follows only the normative
>      semantics of this specification, this content will be outside the

"this specification" doesn't work when the registration template is 
taken out of the SVG spec. Either say "the SVG specification" or 
explicitly reference a specific version of the specification.


>      SVG namespace and shall be ignored. Only in the case where the
>      processor recognizes and processes the additional content, or
>      where further processing of that content is dispatched to other
>      processors, would security issues potentially arise. And in that
>      case, they would fall outside the domain of this registration
>      document.
>
> Interoperability considerations:
>
>      This specification describes processing semantics that dictate

Same problem here.

>      behavior that must be followed when dealing with, among other
>      things, unrecognized elements and attributes, both in the SVG
>      namespace and in other namespaces.
>
>      Because SVG is extensible, conformant "image/svg+xml" processors
>      must expect that content received is well-formed XML, but it
>      cannot be guaranteed that the content is valid to a particular DTD
>      or Schema or that the processor will recognize all of the elements
>      and attributes in the document.
>
>      SVG has a published Test Suite and associated implementation
>      report showing which implementations passed which tests at the
>      time of the report. This information is periodically updated as
>      new tests are added or as implementations improve.
>
> Published specification:
>
>      This media type registration is extracted from Appendix P of the
>      SVG 1.1 specification. http://www.w3.org/TR/SVG/
>
> Applications that use this media type:
>
>      SVG is used by Web browsers, often in conjunction with HTML; by
>      mobile phones and digital cameras, as a format for interchange of
>      graphical assets in desk top publishing, for industrial process
>      visualization, display signage, and many other applications which
>      require scalable static or interactive graphical capability.
>
> Additional information:
>
>      Magic number(s):
>      File extension(s):
>          svg, svgz (if gzip-compressed)
>      Macintosh file type code(s):
>          "svg " (all lowercase, with a space character as the fourth
>          letter), "svgz" (all lowercase, if gzip-compressed).
>      Macintosh Universal Type Identifier code:
>          org.w3c.svg conforms to public.image and to public.xml
>      Windows Clipboard Name:
>          "SVG Image"
>      Fragment Identifiers
>          For documents labeled as application/svg+xml, the fragment
>          identifier notation is that for application/xml, as specified
>          in RFC 3023 or its successors, plus the SVG-specific SVG Views
>          syntax described in the SVG specification.
>
> Person&  email address to contact for further information:
>
>      Chris Lilley, Doug Schepers (member-svg-media-type@w3.org).
>
> Intended usage:
>
>      COMMON
>
> Restrictions on usage:
>
>      None
>
> Author:
>
>      The SVG specification is a work product of the World Wide Web Consortium's SVG Working Group.
>
> Change controller:
>
>      The W3C has change control over this specification.

And same problem here again. Actually, in this case, I'm under the 
impression that "Change controller" refers to the change controller of 
the registration, not the specification (which would be the same, but 
would be written differently). But I might be wrong.

Regards,    Martin.

-- 
#-# Martin J. Dürst, Professor, Aoyama Gakuin University
#-# http://www.sw.it.aoyama.ac.jp   mailto:duerst@it.aoyama.ac.jp