As someone who runs a site that uses inline SVG, this is unfortunate. Hopefully it won't be a problem for me.

Maybe I'm missing something, but it looks like it requires an iframe attack or an XSS to work correctly, both of which have page/server settings that can be used to avoid them.

▲

spartanatreyu 8 hours ago | parent [-]

It's easy to prevent clickjacking attacks by not allowing your website to be embedded in an iframe.

You can do that by either adding a header to your network requests, o̶r̶ ̶b̶y̶ ̶a̶d̶d̶i̶n̶g̶ ̶t̶h̶e̶ ̶f̶o̶l̶l̶o̶w̶i̶n̶g̶ ̶m̶e̶t̶a̶ ̶t̶a̶g̶ ̶t̶o̶ ̶y̶o̶u̶r̶ ̶p̶a̶g̶e̶:̶

̶<̶m̶e̶t̶a̶ ̶h̶t̶t̶p̶-̶e̶q̶u̶i̶v̶=̶"̶X̶-̶F̶r̶a̶m̶e̶-̶O̶p̶t̶i̶o̶n̶s̶"̶ ̶c̶o̶n̶t̶e̶n̶t̶=̶"̶D̶E̶N̶Y̶"̶>̶

EDIT:

According to MDN, it will only work by adding it to your headers. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

	▲	r1ch 7 hours ago \| parent [-]
		The modern way to do this is with the Content-Security-Policy: frame-ancestors directive: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...