2
$\begingroup$

This question contains an animated SVG that is hosted on a private website outside of the stackexchange ecosystem. Just viewing the question seems to run it from that site.

Is there any possiblility that this site could start collecting IP addresses or other information? Animations are normally either GIFs hosted by imgur, or YouTube links. I've never seen embedded widgets from private sites before. 

![https://www.moonwards.com/img/animations/transfer_time.svg][1]

  [1]: https://www.moonwards.com/img/animations/transfer_time.svg

Has his technique been vetted for privacy and security? Is it considered good stackexchange practice? It was the fact that there isn't even a question in this post that concerned me first.

$\endgroup$
3
  • $\begingroup$ SVGs can contain active script: security.stackexchange.com/questions/143141/… $\endgroup$
    – called2voyage Mod
    Commented Sep 5, 2017 at 20:21
  • $\begingroup$ Not sure on the policy question though. You may try pinging SE staff in chat. $\endgroup$
    – called2voyage Mod
    Commented Sep 5, 2017 at 20:27
  • $\begingroup$ @called2voyage I've asked here, and answers are being posted. Apparently moonwards can potentially be collecting IP, browser and other information of anyone who views the question, without their knowledge. $\endgroup$
    – uhoh
    Commented Sep 5, 2017 at 21:01

1 Answer 1

Reset to default
4
$\begingroup$

Disclaimer: I wrote that post.

SE allows arbitrary hot-linking of images. The default Imgur upload is there to cover the usual case that the image is not yet hosted anywhere, but there are other benefits as well. Image links are for instance less prone of dying (you can even re-upload images with a link from the web for this reason). A reason for not using it may for instance be technical limitations. In my case, it was that Imgur does not support the svg image format.

Can an svg contain executable javscript?

Yes.

Can said javascript be executed here on SE?

No. the img tag is sandboxed (for the record, the graphic does not contain JS).

Can I collect your IP adress?

Yes. I can do that with a PNG or GIF too. Whatever resource the site is serving requires your machine to contact the server.

Animations are normally either GIFs hosted by imgur, or YouTube links

Yes they are. Why did I not use that? Because of the effort required. The svg animation was something I had in stock. If you can point me to a tool for converting declarative animations to gifs, I would be very grateful. My current knowledge of animations is limited to SVG+SMIL and stop motion by piping frames into ffmpeg. The later would require a complete rewrite.

Then: The "Hey, look at my cool website!" aspects of this. This is my only file hosting for uploading arbitrary files. The name of the site is not mentioned in the post, and the link points directly to the file, not to some other page with other content.

Why link at all? Because svg animations go one way by default. Pointer events like the reset button are stripped by browser sandboxing, so to view the animation again the file must be viewed at its location.

Why the post at all? It could essentially be stripped down to just the title. The rest is my own attempt at solving it. My geometry knowledge in this field is a little shaky, so I was not sure about several of the steps (is an ellipse always a circle scaled along an axis?).

Still, looking at it now, it is rather low quality and I deleted it. I should really go to bed.

$\endgroup$
5
  • 2
    $\begingroup$ One problem with many SE sites is that after a while everyone is focused on answering (as answers or in non-down-votable comments), and the question pool suffers. Writing SE questions is not easy! I learned here among nice people and have been branching out into the more angsty sites. I've asked over 500 questions here, 1000 in SE ecosystem in toto, and it's still quite a challenge. There does not seem to be any limit to the number of questions one can ask, so maybe break it into smaller pieces. Often, half way through crafting a crystal clear question the answer appears before posting. $\endgroup$
    – uhoh
    Commented Sep 5, 2017 at 22:01
  • 1
    $\begingroup$ @uhoh You definitely know that :) You are one of our most active askers. Most are good, some are not. $\endgroup$
    – SE - stop firing the good guys
    Commented Sep 5, 2017 at 22:04
  • $\begingroup$ The statement, The default Imgur upload is just there to cover the usual case that the image is not yet hosted anywhere. is not totally correct, though it serves that purpose well. It can also be used to upload an image from the web, and has a button just for that. When at all possible the imgur hosting should be used. Images hosted elsewhere can, and do, become dead links, often rendering the post useless later. Imgur hosted images for SE are supposed to be imune to that because of an agreement of some kind between Imgur and SE. $\endgroup$
    – user20122
    Commented Sep 10, 2017 at 0:49
  • $\begingroup$ @GypsySpellweaver Yes, you are right. I am going to edit that. $\endgroup$
    – SE - stop firing the good guys
    Commented Sep 10, 2017 at 7:04
  • $\begingroup$ When SE switched over to HTTPS, there were hundreds of images on Super User posts that needed fixing, replacing, or deleting because they were dead links. It was a nightmare to handle those, and my estimate is that 75% of the "screenshots" for problems, and solutions, were forever gone. :( $\endgroup$
    – user20122
    Commented Sep 10, 2017 at 7:10

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .