If you read my post about Flicker Fix that was included and removed from the first distribution of CSS friendly control adapters beta you might have heard that it created a security hole.

Having a handler or other reading a file that you might specify the path in a parameter is a really really bad idea. It lets for example read possibility to your web.config file to anybody just browsing your site. If your connection string to the db is in clear then… too bad.

Now there is a fix to that issue posted on that page.

I like the way it is implemented with a base rule of security, define what is allowed. So basically you define a key in your appconfig saying which pictures are accessible through the handler and in you css you reference this key. Nice.