HTML preview maybe should work with local images?

[ocdtrekkie]

I host a website out of a Davros grain. It's a bit odd to me that when I preview the index.html file, it does render, yet fails to embed the image stored in the same folder in Davros. It's not a big deal as I can visit the publishing URL, it just seems odd to me that it doesn't work?

But then I kind of looked, and realized HTML files preview as "code", so I wondered if it rendering the HTML at all was a mistake...

[mnutt]

You're right, I think it was a mistake that it rendered at all. My general pattern for rendering previews of untrusted content is to xhr-fetch the contents and add them as srcdoc to a sandboxed iframe, and without allow-origin I'm not sure it'd be able to render relative images but can test it to see.

[mnutt]

Unfortunately I think this may end up out of scope; it may just be too hard to preview a page safely while allowing local images but disallowing remote image loads. But I can investigate it some more at a future date.