{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 小情绪 Triste * 的问题《“Security restrictions” when linking to external s》','https://www.manongdao.com/q-650489.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
According to this answer "for security reasons images must be standalone files". That is, when including a SVG file using an img tag it cannot reference any external stylesheets.
I think I've run into the same issue when trying to include SVGs as background images using CSS. The SVGs link to other SVG files and display fine when viewing them in Firefox directly, but fail to show the linked content when included as a CSS background image.
What are these 'security reasons' and where can I find out more information about them?
Consider a hypothetical forum that allows SVG images as avatars. If external resources were allowed a trickster/malicious user could upload an SVG file that contains
<image xlink:href="http://evilhacker.com/myimage.png">and (assuming they control evilhacker.com), they could do any & all of the following:See this Mozilla bug and the SVG integration specification for more details.