We should have an option available for admins to enable/disable, which if enabled means that embedded remote content such as images (eg in a forum post) is proxied, rather than loading the remote file directly. This will have several security benefits:

1. Remote server only ever sees the server, not the user's IP address.
2. Generic endpoint fetches the data, not a specific page / URL where the image is being fetched.
3. #2 also means that site/course/user specific details available in the current URL will not be available to the remote server. One direct impact of this is that sesskeys which have not yet been migrated to POST and are included in a URL won't be included in the request. (This may only be a factor if insecure headers are configured.)

I think it makes sense for this to be enabled for new sites, but disabled for upgrades.

Note: More investigation is needed on this for potential risks/benefits, but it has been on my list to look at for a while so for now I just want to ensure it is in the backlog.