[rtldg]

Github proxies images so this shouldn't be possible https://github.blog/2014-01-28-proxying-user-images/

[chatmasta]

Oh wow TIL. Very interesting. And since 2014 too? Nice. They must have done that around the same time Google did it for GMail.

I wonder if it's still true. I imagine they have some Content-Security-Policy preventing it so you can't do hacks like embedding an external URL in an SVG.

[rtldg]

Their CSP does seem to prevent an svg I threw in a readme from loading a png so that's good to see. And a test png in the readme was proxied too.

content-security-policy: default-src 'none'; img-src data:; style-src 'unsafe-inline'