[hughes]

"no Javascript" is very misleading. There are several <script> tags embedded in each svg, including at least two scripts that are loaded from external sources.

In fact, nearly 1/3 of the data transferred for the first graph is javascript[0].

https://gist.github.com/hughes/c876b02aa06f897c99e2

[Kiro]

Hm, how does this work? How can JavaScript be executed like that when it's included as an image?

[dpweb]

Curious about that too. If I load an svg in the address bar with embedded script I can show alert(), but linked into html using <img> tag, alert does not run. Sandboxed? Otherwise I could execute JS just by loading in using svg via <img>.

[hughes]

Looks like it's not sandboxed at all?

> Any functions defined within any script element have a global scope across the entire current document.

[0] https://developer.mozilla.org/en-US/docs/Web/SVG/Element/scr...

[spb]

As images / targets, SVG documents have their own global scope, much like a page in an iframe.

[elwell]

Is that just for fallback and also tooltips?