This bug is predicated upon the notion that script inside an SVG file loaded from your local filesystem is dangerous. Can you elaborate on why you believe that to be the case?

This sounds like a dupe of the same misunderstanding I addressed here:
https://bugs.chromium.org/p/chromium/issues/detail?id=645771#c1

If potentially harmful javascript is placed inside the SVG file--Chrome won't stop it like it stops other potentially harmful files. Unless I am seeing things wrong, Chrome was suppose to warn the user that the file being downloaded is harmful--but it didn't, it let me download it.

Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

So in other words, I purposely put XSS Javascript inside the SVG file, and Chrome did not warn at all.

In this example, how are you opening the SVG?

I don't see a big difference between SVG and HTML in this case.
I also don't see where the XSS is happening – can you use this to run Javascript on mail.google.com?

I guess then you can just close this, if it is no different than running HTML file.  I open the SVG by downloading it from Gmail.

Right, the key issue here is that there isn't any XSS-- in the scenario, the SVG file allows script execution (like any other downloaded type that supports script), but the script execution occurs in a neutral context. The downloaded file doesn't run in the context of the site that delivered it (meaning there's no XSS), and it doesn't run with any additional permissions (meaning there's no elevation of privilege). 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 808428  has been merged into this issue.