Read the two sentences following the one you quoted. It's not talking about OpenSea collecting your web address. It's talking about the OpenSea client-side website loading and executing arbitrary HTML loaded from a remote location specified by the NFT creator, which the NFT creator can control. If I create an NFT with an animation url set to `http://my-website/arbitrary-code-i-can-change-any-time.html`, I can execute whatever JavaScript scripts I want in the client-side browser of anyone who views my NFT on OpenSea's website.
Right. But if I include an arbitrary link to a cryptocurrency mining script in my comment right here, hackernews' website won't load it into your browser and start executing it as soon as you view this comment, with no interaction needed from you. If they did, that would be bad.
Oh yeah, sure. I think we're on the same page here. It's literally no different than an XSS vulnerability (done on purpose or otherwise), which basically boils down to: yeah, don't do that.
