at this point I feel like it'd be useful for web server default configurations to include something like

    if extension == .svg
       set-header Content-Security-Policy: script-src 'none'
    end

wouldn't that stop a browser from running scripts, even if the svg file is opened directly? having this be widespread would solve it wholesale.