[Feature] Allow HTML-only headers for SVG files
Seirdy opened this issue Β· comments
π Feature request
Description
Requests for SVG files should be allowed to include HTML-only headers: CSP, X-XSS-Protection, etc.
Details
The SVG spec is really advanced, and allows a great deal of complex behavior (and vulnerabilities; see the Tor Browser's rationale for disabling SVG when increasing the security level). Headers like Content-Security-Policy
can impact how the browser handles an SVG.
This feature could be considered a partial fix to #3403.