diff --git a/src/components/code-editor/view/subcomponents/CodeEditorMediaPreview.tsx b/src/components/code-editor/view/subcomponents/CodeEditorMediaPreview.tsx
index 4573907f..62cdbab1 100644
--- a/src/components/code-editor/view/subcomponents/CodeEditorMediaPreview.tsx
+++ b/src/components/code-editor/view/subcomponents/CodeEditorMediaPreview.tsx
@@ -142,6 +142,13 @@ export default function CodeEditorMediaPreview({
// stale URL from the previous file is never rendered during a switch.
const currentUrl = url && loadedKey === sourceKey ? url : null;
+ // SVGs render safely inline via
(scripts don't execute there), but the
+ // open-in-new-tab link is a top-level navigation. A blob URL inherits the
+ // app's origin, so a user-controlled SVG with an embedded