My understanding, the SVGs were imported directly and embedded as code, not as a `src` for an img tag. This is very common, it's a subjectively better (albeit with good security practices) way to render SVGs as it provides the ability to adjust and style them via CSS as they are now just another element in the HTML DOM. It should only be done with "trusted" SVGs however!

As for CORS, they were uploading the SVGs to an account of their own, but then using the vulnerabilities to pivot to other accounts.

Thanks, that makes sense. Strange that the writeup skipped the most important step in the vulnerability!

If I can run my own code but in your context, I can pull in malicious scripts.

With those (all these are "possible" but not always, as usual, it depends, and random off the top of my head):

- I can redirect you to sites I control where I may be able to capture your login credentials.

- May be able to prompt and get you to download malware or virus payloads and run them locally.

- Can deface the site you are on, either leading to reputational harm for that brand, or leading you to think you're doing one thing when you're actually doing another.

- I may be able to exfiltrate your cookies and auth tokens for that site and potentially act as you.

- I might be able to pivot to other connected sites that use that site's authentication.

- I can prompt, as the site, for escalated access, and you may grant it because you trust that site, thereby potentially gaining access to your machine (it's not that the browsers fully restrict local access, they just require permission).

- Other social engineering attacks, trying to trick you into doing something that grants me more access, information, etc.

I suspect I'm preaching to the choir, but that is a communication issue and a sign the "rewards system" is out of whack, not a "reason" not to push for regular maintenance/tech debt/bug cleanup work.

It should be understood that there WILL be bugs, that is NOT a sign of incompetence, and so cleaning them up should be an ongoing task so they do not linger and collect (and potentially get worse by compounding with other bugs).

In the spirit of that exercise, the fixes should not take an excessive amount of time to review. If they are, it's likely either the scope of the fix is too large for that kind of exercise, or the PR review process is too in-depth.

I would also question why only 3 of 8 devs approve PRs. Even if that can't change more broadly all of the time, this kind of exercise seems like a perfect time to allow everyone to review PRs - two fold benefit, more fixes are reviewed and gives experience reviewing to others that don't get to do that regularly.

So yes, definitely still do PRs, and if that is problematic, consider whether that is an indication the PR process may itself need to be reviewed.

Not invalidating your viewpoint and I'd bet we are pretty well aligned, I too have a pretty local-first view and that as a country we put too much emphasis, energy, and discussion on national politics and could all benefit from "getting outside". That said, I did want to point out that this comes across as a very self-centric viewpoint, one that would differ greatly depending on who you ask. Even as an anecdotal story, it offers very little to say about the current state of affairs related to how people voted, which would appear to be the intent of the response.

As a bit of a semi-related aside, while everyone has different motivations when voting, as a whole when folks are able to vote for their gov't, one hopes that enough people are thinking about what is good for the majority and society as a whole and not only what is good for themselves. And that has more impact at local and state levels usually. A bit idealistic, admittedly.

If there is any reason for the test, it would be diagnostic and not preventative, and that is generally covered. Just checking cause you want to know your levels generally wouldn't be, but there are any number of symptoms that could be related to that.

As for it being a "scam" - there are enough valid studies that show what this one did, that folks who are deficient that are able to raise their levels tend to be slightly healthier.

There isn't necessarily evidence for supplementation beyond "normal" range, and I do agree that no one should just take high-dose vitamin D supplements without data (tests) that it is necessary.

Generally agree, but unlike water-soluable vitamins, vitamin D can store excess in fatty tissue and the liver, and so if a person takes a large dose (generally 10,000 IU daily or more), they could develop toxicity over time due to the build-up. That's why it's important to test and adjust dosages according to the data.

As has been commented elsewhere, everyone absorbs vitamin D differently, this really is a matter where someone should just get tested, if they (and their doctor) decide supplementation is needed, do so, test again, and adjust dosage accordingly until desired levels are attained.

Not medical advice here, but harmful effects from vitamin D exposure/toxicity generally only happen at very high levels, or if high doses are taken over long periods of time (as excess can be stored in fatty tissue/liver). Doctors often prescribe a very high dose (like 50,000 IUs) for individuals who are very deficient (often taken once a week, not daily) for a short period before going on a more standard (400-2,000, maybe 5,000) IU dose for maintenance.

Echo this with a PSA: it's a simple test to get your levels, and I'm a proponent of ensuring it's included when you have other regular blood tests (may have to ask for it). That can allow a person to see patterns, how effective any supplementation (and different amounts) are, etc.

Just my results (n=1) and I don't think this is exactly what you were saying, but just in case other read it the same way I did at first: having had (lab tested) vitamin D deficiencies, vitamin D supplementation can help to restore levels back into the desired range. So supplementation can have the desired effect of improving vitamin D levels (more below). It is a simple test that most doctors don't quibble about adding on to other blood tests (i.e. during annual checkup, for instance), but isn't generally checked by default. (note: insurers may want it to be "diagnostic" rather than "preventative" in order to cover the test.)

Whether it has a "positive impact" on overall health (which I believe to be your point), that would be even more anecdotal and also impossible for me to narrow down whether that one factor had any significant effect, so I won't posit that. And I agree that from different studies I've read, the actual science on it is pretty varied and I haven't seen anything conclusive. Even this study notes their conclusion was "... among adults with suboptimal baseline vitamin D levels".