Yeah that’s a complex scenario, but that’s also a good reminder of why Tor Browser’s Safest mode disables SVG entirely. Note that it’s possible to have a static/safe subset of SVG which does not support scripting, but i don’t know any browser that implements that…
IMO, blob URLs should be completely disabled. They are the main issue here, because they are executed in the context of the origin that created the blob in the first place.
Yeah that’s a complex scenario, but that’s also a good reminder of why Tor Browser’s Safest mode disables SVG entirely. Note that it’s possible to have a static/safe subset of SVG which does not support scripting, but i don’t know any browser that implements that…
IMO, blob URLs should be completely disabled. They are the main issue here, because they are executed in the context of the origin that created the blob in the first place.
https://github.com/whatwg/url/issues/127