Comment by akersten
4 hours ago
This is all solved by developers properly setting the X-Frame-Options header but I bet instead we'll delete half the SVG spec from the browser in some futile chase of security
4 hours ago
This is all solved by developers properly setting the X-Frame-Options header but I bet instead we'll delete half the SVG spec from the browser in some futile chase of security
SVGs have a lot of security landmines; it's simplest to just disallow them, especially if they are untrusted (user provided)
it's not all solved because some applications require framing (eg google docs), and you can run this attack against a non-frame target, such a website with html injection, but strict CSP