• 0 Posts
  • 3 Comments
Joined 1 year ago
cake
Cake day: November 12th, 2023

help-circle


  • Just to play devils advocate for a minute- Loading from their own domain means they can actually garner quite a bit of information from just the serving of the svg:

    • date and time of access
    • IP (country, state, region, etc)
    • Potential for SVG xss attack if hoster doesn’t clamp down their CSP settings

    Date/time/IP are good enough for getting pretty good estimates of who all uses their software. Doesn’t matter if they are or aren’t using that data- it is being sent to them on their own accord and terms. The public has no way of knowing.

    And this is all perfectly acceptable, as long as you do one of the following:

    • Prominent notice to user that tracking is enabled by default, and it can be disabled by doing X, Y, or Z. State the kind of tracking information collected and maybe even say logs are kept in memory or dumped after X days.
    • Allow for opt-in tracking. This one’s pretty straightforward.

    All of this doesn’t really matter if the dev isn’t willing to change anything about the remote image.

    But a fork?? Yeah, totally unnecessary. You can take easily care of this at the reverse proxy layer by preventing the svg (or anything else for that matter) from being served. Just serve a 404 or something instead or do a regex replace and remove it altogether from the page prior to serving.