On bug 65724 #c1, Christian linked to an uploaded SVG that included a png loaded via https from upload.wikimedia.org. I confirmed in firefox that the browser is making a separate http connection to load the resource.
If an editor can embed a raw svg in a page, and if the svg loads resources from other web servers, it might be possible to track viewers.
Additionally, if it can load an svg that contains javascript, I need to test what SoP is applied to the javascript, to make sure it can't talk back to our sites.
Version: 1.24rc
Severity: normal
See Also:
http://bugzilla.wikimedia.org/show_bug.cgi?id=3537