On Mon, Jan 3, 2011 at 3:22 PM, Brion Vibber <br...@pobox.com> wrote: > Since ApiSVGProxy serves SVG files directly out on the local domain as their > regular content type, it potentially has some of the same safety concerns as > img_auth.php and local hosting of upload files. If that's a concern > preventing rollout, would alternatives such as wrapping the file data & > metadata into a JSON structure be acceptable?
Would it be enough to serve it with Content-Disposition: attachment? I'd think that should block all direct use but still allow XHR to work (although I'm not totally sure). _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l