~sircmpwn/sr.ht-discuss

4 3

SVG file embedded in README.md

Details
Message ID
<ebb5b810f22ecbb020474584694775ee@hewgill.com>
DKIM signature
missing
Download raw message
I'm trying to embed an SVG in a README.md file served from git.sr.ht.
Project link: https://git.sr.ht/~ghewgill/hour-of-power

The problem is the SVG file appears to be served with a
"Content-type: text/plain; charset=utf-8" header. This causes the
browser to fail to render the SVG as an image.

How can I cause the SVG file to be served with "image/svg+xml" type?
Or is there another better way I'm missing?
Details
Message ID
<0APuQMP4Qr9mZm6o1QbthXBrmvr-XGz_dz9jNZ6tQukBTak1FGmNtNtv3CN7vZ-_LIMVddPzbCKxxLAzHND-U6MY5VoNl_muGXu9sQ1GL7c=@emersion.fr>
In-Reply-To
<ebb5b810f22ecbb020474584694775ee@hewgill.com> (view parent)
DKIM signature
missing
Download raw message
On Monday, May 11, 2020 10:49 AM, Greg Hewgill <greg@hewgill.com> wrote:

> I'm trying to embed an SVG in a README.md file served from git.sr.ht.
> Project link: https://git.sr.ht/~ghewgill/hour-of-power
>
> The problem is the SVG file appears to be served with a
> "Content-type: text/plain; charset=utf-8" header. This causes the
> browser to fail to render the SVG as an image.
>
> How can I cause the SVG file to be served with "image/svg+xml" type?
> Or is there another better way I'm missing?

I wonder whether this may be a security issue (users would be able to
potentially embed JavaScript in the SVG and steal cookies).
Details
Message ID
<7ce9db2303087e000fd6a80088f45ce0@hewgill.com>
In-Reply-To
<0APuQMP4Qr9mZm6o1QbthXBrmvr-XGz_dz9jNZ6tQukBTak1FGmNtNtv3CN7vZ-_LIMVddPzbCKxxLAzHND-U6MY5VoNl_muGXu9sQ1GL7c=@emersion.fr> (view parent)
DKIM signature
missing
Download raw message
May 11, 2020 8:56 PM, "Simon Ser" <contact@emersion.fr> wrote:

> I wonder whether this may be a security issue (users would be able to
> potentially embed JavaScript in the SVG and steal cookies).

That could be the reason. That would be unfortunate too, because SVG
is a nice way to include simple diagrams (I even tried inline SVG in
the Markdown, but that definitely did not work).

I've added a PNG version of the diagram for now so it works, but have
left the broken link to the SVG in there. I'm still hoping that there
is some way to make the SVG work.
Details
Message ID
<C2NXDUQBO02C.2ZHDHXWBUJ856@homura>
In-Reply-To
<0APuQMP4Qr9mZm6o1QbthXBrmvr-XGz_dz9jNZ6tQukBTak1FGmNtNtv3CN7vZ-_LIMVddPzbCKxxLAzHND-U6MY5VoNl_muGXu9sQ1GL7c=@emersion.fr> (view parent)
DKIM signature
missing
Download raw message
On Mon May 11, 2020 at 4:56 AM PST, Simon Ser wrote:
> I wonder whether this may be a security issue (users would be able to
> potentially embed JavaScript in the SVG and steal cookies).

This is indeed a concern. In theory it's not unfixable, but the overhead
of implementing SVG is higher than for any other image format.
Details
Message ID
<922a9a074f7620dc54008cc8556936e8@hewgill.com>
In-Reply-To
<C2NXDUQBO02C.2ZHDHXWBUJ856@homura> (view parent)
DKIM signature
missing
Download raw message
May 12, 2020 1:13 AM, "Drew DeVault" <sir@cmpwn.com> wrote:

> This is indeed a concern. In theory it's not unfixable, but the overhead
> of implementing SVG is higher than for any other image format.

Thanks. Whoever thought it was a good idea to ruin a perfectly good
image format with scripting.

I'll stick with the PNG image for now and hope nobody ruins that. :)
Reply to thread Export thread (mbox)