Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

GitHub uses Camo [1] to serve assets like images and SVG files. It removes any "dangerous" code like JS from the file before serving it from a GitHub CDN.

1. https://github.com/atmos/camo



Are you sure?

Yes they use Camo, but that's a proxy to ensure that you don't serve JS from the same domain as github.com so that 3rd party assets have the JavaScript domain security policy applied.

I do not believe that Camo is a sanitising proxy... just a proxy.


Oh my! Never knew SVG was such a rabbit hole lol! Thanks for this info!


Ah svg, reminds me these fine windows metafile days.

Seriously, can we stop inventing formats that execute arbitrary code under the hood?


The problem isn’t SVG necessarily. It’s a nice vector format with many hidden features available to those who explore (especially with SVG 2 around the corner). The problem is JavaScript. Unfortunately, there’s not much one can do if they want interactive images[a][b] short of a Turing Complete language. And if you’re going to need that, JavaScript’s right there (for better or for worse).

[a]: Embedding the SVG directly into the HTML and manipulating it using the JavaScript in the HTML is an option, but not many people do that

[b]: We can argue all we want about whether we should be making interactive images in the first place, but the fact of the matter is, either you add it to your format, or someone else will


Every time someone does, someone else comes along and either presents a compelling enough use case that arbitrary execution is introduced or just wraps the thing in an environment where it’s funneled in.


Can svg's even do anything malicious with that capability?


Where they can execute JS, they can do so in the same security context as the containing document. So, yeah, they can be used in situ for any privacy or security intrusion that a script tag can.


This is not entirely correct. An SVG file embedded in an <iframe> or <object> is a document itself, and if cross-origin, can not access the outer document. However, if not in a sandboxed iframe, it can still do things like trigger alert prompts or navigation.


Sorry, this is right. I should have said it’s just as capable or limited in SVG as a bare script tag in the same place.


Camo is just a proxy that allows them to (a) always serve remote content from HTTPS and (b) more constrained CSP rules. Camo doesn't remove any code nor sanitize it.

Edit: I think I narrowed down where you were wrong! Github "raw" endpoints for repository files DOES have a sanitizing option. But that's not Camo (camo is for remote, non repo, assets (linked in comments or in markdown)).




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: