Shouldn't the ignoring of scripting be done at the user agent level? Maybe some ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		MarsIronPI 32 days ago \| parent \| context \| favorite \| on: We pwned X, Vercel, Cursor, and Discord through a ... Shouldn't the ignoring of scripting be done at the user agent level? Maybe some kind of HTTP header to allow sites to disable scripts in SVG ala CORS?

demurgos 31 days ago | [–]

It's definitely a possible solution if you control how the file are displayed. In my case I preferred the files to be safe regardless of the mechanism used to view them (less risk of misconfiguration).

antiloper 31 days ago | [–]

Content-Security-Policy: default-src 'none'

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact