In my town of 100,000 people there are four options. A universally high priced grocery, a dirt cheap, goods at our near their sell by date with the expected low quality grocery, a gas station convenience store, or a bunch of mid-tier grocers with a few different names all owned by the same parent company.
Oh believe me. If that parent company was dumb enough to remove prices from items, and if that is even legal in your state, then a competitor would enter very quickly, making a big deal advertising about how it displays prices, and everyone would start doing their shopping at that competing mid-tier grocery store. Because that's how capitalism works.
You are making the fundamental mistake of thinking that the current equilibrium of local stores will continue to persist once some of the stores make a deep and fundamental change to their business. That is obviously not the case. It would create a gigantic strategic opportunity for competitors. And competitors really like finding strategic opportunities where they can make a bunch of money now where they couldn't before.
Browsers already treat the same SVG differently depending on how you embed it. <img> strips scripts and external resource loads. <object> and inline don't. People test with img tags, looks fine, then someone switches the embed method and everything opens up.
it'd be nice if there was a way to declare in the URL that a given SVG could only be treated as an image so that you could safely open SVG urls, etc without exposing yourself to the dangers of embed/inline.
If you control the domain then yes you could. But if I want to put a link on my website to some SVG hosted elsewhere and I want it to be safe for you to open that link in a new tab then there's not really a way for CSP to protect you the user from the host deploying a malicious SVG.
Like opening a PNG in a new tab is harmless but opening an SVG in a new tab is opening a pretty substantial can of worms.
If your threat model is “I don’t want the image I’m hotlinking to be replaced with something else when opened in a new tab”, then no image format is safe.
Well as an example: Lets say I maintain a hypothetical appview for an atproto service and we support SVGs. Users can upload SVGs via our appview or directly to their PDS and we pick them up when the network propagates record updates.
So users can view SVGs embedded in our site and they are regular vanilla SVG images. But say the user copies a link to this image (which we serve via our site or a CDN).
They share the image to a friend via URL and their friend clicks the link opening it directly in firefox or chrome. Now all the scripts in the SVG can execute and the image can rewrite the DOM to present itself as a fake website prompting them to log into their bluesky/atproto account to view the content. So said friend types their credentials in and the script in the SVG sends that back to their C&C server.
Twitter is already a bit of a special case because porn is so accessible (although, you must opt in through the browser and cannot opt in through the app).
Discord works the same way I think, so I'm not sure Twitter is special in that regard (there exist a myriad of porn servers on discord, and the company is constantly getting in hot water because of its popularity among kids/teenagers).
You'd think Apple would go after the top-charting apps that are leveraging the scam companies (like Monopoly Go and Disney Solitaire) for actively engaging with scams like this to pump their own numbers up...
(https://old.reddit.com/r/FreeCash/comments/1i4132r/monopoly_... - like this. What the everloving hell? Straight up enticing users to shove themselves into a game, expose themselves to ads galore, and then keep goading them into blowing even more money in the partner app under the guise of 'real cash'.)
It has a massive user base. And political connections. And lawsuit money. Apple (and Google) will absolutely treat these publishers differently than a random app developer.
Maybe—I don't think anyone is choosing between the two based on access to grok of all things. I think it's simply treated as an extension of twitter, which will almost certainly never be forced out while it remains the premier app for diplomacy and AI porn.
Yeah, Apple doesn't care about losing money or pissing off a large user-base. They assume they have enough money and they'll always have the larger user-base.
reply