It's weird everyone is treating this anything other than what Don is saying - port's fine, don't make it sound like we endorsed this. Don't make us responsible for your product.
In my town of 100,000 people there are four options. A universally high priced grocery, a dirt cheap, goods at our near their sell by date with the expected low quality grocery, a gas station convenience store, or a bunch of mid-tier grocers with a few different names all owned by the same parent company.
Oh believe me. If that parent company was dumb enough to remove prices from items, and if that is even legal in your state, then a competitor would enter very quickly, making a big deal advertising about how it displays prices, and everyone would start doing their shopping at that competing mid-tier grocery store. Because that's how capitalism works.
You are making the fundamental mistake of thinking that the current equilibrium of local stores will continue to persist once some of the stores make a deep and fundamental change to their business. That is obviously not the case. It would create a gigantic strategic opportunity for competitors. And competitors really like finding strategic opportunities where they can make a bunch of money now where they couldn't before.
Browsers already treat the same SVG differently depending on how you embed it. <img> strips scripts and external resource loads. <object> and inline don't. People test with img tags, looks fine, then someone switches the embed method and everything opens up.
it'd be nice if there was a way to declare in the URL that a given SVG could only be treated as an image so that you could safely open SVG urls, etc without exposing yourself to the dangers of embed/inline.
If you control the domain then yes you could. But if I want to put a link on my website to some SVG hosted elsewhere and I want it to be safe for you to open that link in a new tab then there's not really a way for CSP to protect you the user from the host deploying a malicious SVG.
Like opening a PNG in a new tab is harmless but opening an SVG in a new tab is opening a pretty substantial can of worms.
If your threat model is “I don’t want the image I’m hotlinking to be replaced with something else when opened in a new tab”, then no image format is safe.
Well as an example: Lets say I maintain a hypothetical appview for an atproto service and we support SVGs. Users can upload SVGs via our appview or directly to their PDS and we pick them up when the network propagates record updates.
So users can view SVGs embedded in our site and they are regular vanilla SVG images. But say the user copies a link to this image (which we serve via our site or a CDN).
They share the image to a friend via URL and their friend clicks the link opening it directly in firefox or chrome. Now all the scripts in the SVG can execute and the image can rewrite the DOM to present itself as a fake website prompting them to log into their bluesky/atproto account to view the content. So said friend types their credentials in and the script in the SVG sends that back to their C&C server.
reply