On Mon, Jan 3, 2011 at 3:22 PM, Brion Vibber <brion(a)pobox.com> wrote:
Since ApiSVGProxy serves SVG files directly out on the
local domain as their
regular content type, it potentially has some of the same safety concerns as
img_auth.php and local hosting of upload files. If that's a concern
preventing rollout, would alternatives such as wrapping the file data &
metadata into a JSON structure be acceptable?
Would it be enough to serve it with Content-Disposition: attachment?
I'd think that should block all direct use but still allow XHR to work
(although I'm not totally sure).