On a lot of IndieWeb sites, I noticed that profile images of webmentions get directly embedded from their original source. For example, Twitter profile images are loaded directly from Twitter servers (pbs.twimg.com) or even my profile image is directly embedded from my site.
However you should consider enabling Content Security Policy (CSP) headers and only allow embedded content from trusted sites (your own domains). It could always happen that a site gets hacked and malware injected or a domain expires and some spammers register it again, that will also affect your website’s visitors. You won’t even notice it.
To solve this, you basically have two options:
- don’t display them at all,
- or download those images and serve the downloaded copy.
And don’t forget to enable CSP headers on your site!
Update: Sebastiaan Andeweg wrote a reply and linked his article, about how he hacked his own website! If you use PHP for your IndieWeb site, make sure to read it!