Serving a SVG image as content-type `image/svg+xml` with ``` Content-Security-Policy: default-src 'none'; ``` will prevent SMIL animation from working in Firefox but they do work in Blink with the same CSP. One can work around by setting ``` Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; ``` which is also what GitHub uses for their raw SVGs, but I think it's overzealous to identify SMIL as an unsafe inline style, it should not be classified as such.
Bug 1683972 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Serving a SVG image as content-type `image/svg+xml` with ``` Content-Security-Policy: default-src 'none'; ``` will prevent SMIL animation from working in Firefox but they do work in Blink with the same CSP. One can work around by setting ``` Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; ``` which is also what GitHub uses for their raw SVGs, but I think it's overzealous to identify SMIL as an unsafe inline style, it should not be classified as such. Related discussion around this in https://bugzilla.mozilla.org/show_bug.cgi?id=763879
Serving a SVG image as content-type `image/svg+xml` with ``` Content-Security-Policy: default-src 'none'; ``` will prevent SMIL animation from working in Firefox but they do work in Blink with the same CSP. One can work around by setting ``` Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; ``` which is also what GitHub uses for their raw SVGs, but I think it's overzealous to identify SMIL as an unsafe inline style, it should not be classified as such. Related discussion around this in https://bugzilla.mozilla.org/show_bug.cgi?id=763879 Example image: https://raw.githubusercontent.com/StylishThemes/GitHub-Dark/master/images/octocat-spinner-smil.svg
Serving a SVG image as content-type `image/svg+xml` with ``` Content-Security-Policy: default-src 'none'; ``` will prevent SMIL animations from working in Firefox but they do work in Blink with the same CSP. One can work around by setting ``` Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; ``` which is also what GitHub uses for their raw SVGs, but I think it's overzealous to identify SMIL as an unsafe inline style, it should not be classified as such. Related discussion around this in https://bugzilla.mozilla.org/show_bug.cgi?id=763879 Example image: https://raw.githubusercontent.com/StylishThemes/GitHub-Dark/master/images/octocat-spinner-smil.svg