Bookmarked https://jlelse.blog/thoughts/2020/01/security-risk-embedding/. I would—before my tiny setup stopped …
I would—before my tiny setup stopped working, that is—scrape and cache avatars locally.
[Y]ou should consider enabling Content Security Policy (CSP) headers and only allow embedded content from trusted sites.
- The security risk of embedding images from external sites