|Edgar Bonet 5b126d7497||2 months ago|
|README.md||2 months ago|
|image-nojs.svg||3 years ago|
|image.svg||3 years ago|
On GitHub, both images are displayed, served as image/svg+xml from a different domain (raw.githubusercontent.com) with the header “Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox”. Neither Firefox nor Chromium execute the script, even if the image is opened alone, in a new tab. Chromium's console warns that it “Blocked script execution [...] because the document's frame is sandboxed and the 'allow-scripts' permission is not set.”
On Gogs and Gitea, the alt texts are displayed instead of the images. On Gogs, both alt texts are clickable. On Gitea only the first one is clickable. Unlike Firefox, Chromium also displays broken-image icons alongside the alt texts.
When clicking on the alt texts, Gogs and Gitea display the raw source of the images (the images served as text/plain). When clicking on the images, GitHub instead displays a “blob” page in “rendered” view. This page contains an iframe served from render.githubusercontent.com, with the image included, as before, from raw.githubusercontent.com. That blob page has buttons for switching between the rendered and source blob views, and a link to the raw file from raw.githubusercontent.com.
The issue has been reported: