🚀 Feature request

Description

Requests for SVG files should be allowed to include HTML-only headers: CSP, X-XSS-Protection, etc.

Details

The SVG spec is really advanced, and allows a great deal of complex behavior (and vulnerabilities; see the Tor Browser's rationale for disabling SVG when increasing the security level). Headers like Content-Security-Policy can impact how the browser handles an SVG.

This feature could be considered a partial fix to #3403.