Mozilla security researcher Georgi Guninski
reported that when a SVG document which is served
with Content-Type: application/octet-stream
is embedded
into another document via an <embed>
tag
with type="image/svg+xml"
, the Content-Type is ignored
and the SVG document is processed normally. A website which allows
arbitrary binary data to be uploaded but which relies
on Content-Type: application/octet-stream
to prevent
script execution could have such protection bypassed. An attacker
could upload a SVG document containing JavaScript as a binary file to
a website, embed the SVG document into a malicous page on another
site, and gain access to the script environment from the SVG-serving
site, bypassing the same-origin policy.