Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=22407 to track this.
:DG< On Thu, May 16, 2013 at 9:39 AM, Anne van Kesteren <[email protected]> wrote: > On Wed, May 15, 2013 at 9:08 PM, Simon Pieters <[email protected]> wrote: >> Case study: <img> was historically not capable of executing script from an >> external file. This lead to sites expecting <img> to be safe (e.g. allow >> untrusted comments to use <img>). When browsers wanted to support SVG in >> <img>, scripting had to be disabled in order to not break the assumption >> that <img> is safe. > > Further case-in-point: Hosting SVG same-origin is nevertheless still > very much a no-no as tricking the user into loading the file directly > will expose the user to said scripts. > > > -- > http://annevankesteren.nl/
