[CSP] Blocks the use of style attributes inside SVG without generating console errors
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
People
(Reporter: April, Assigned: ckerschb)
References
(Blocks 2 open bugs, )
Details
(Whiteboard: [domsecurity-active])
Attachments
(6 files, 1 obsolete file)
Reporter | ||
Comment 1•9 years ago
|
||
Reporter | ||
Comment 2•9 years ago
|
||
Assignee | ||
Updated•9 years ago
|
Updated•9 years ago
|
Comment 6•8 years ago
|
||
Updated•8 years ago
|
Comment 11•7 years ago
|
||
Assignee | ||
Comment 12•7 years ago
|
||
Comment 14•6 years ago
|
||
Comment 15•6 years ago
|
||
Reporter | ||
Comment 16•6 years ago
|
||
Comment 17•6 years ago
|
||
Reporter | ||
Comment 18•6 years ago
|
||
Comment 19•6 years ago
|
||
Comment 20•6 years ago
|
||
Comment 21•6 years ago
|
||
Comment 22•6 years ago
|
||
Reporter | ||
Comment 23•6 years ago
|
||
Reporter | ||
Comment 24•6 years ago
|
||
Comment 25•6 years ago
|
||
Reporter | ||
Comment 26•6 years ago
|
||
Comment 27•6 years ago
|
||
Comment 28•6 years ago
|
||
Reporter | ||
Comment 29•6 years ago
|
||
Comment 30•6 years ago
|
||
Comment 31•6 years ago
|
||
Assignee | ||
Comment 32•6 years ago
|
||
Comment 33•6 years ago
|
||
I've the same issue here on a website (and some other websites might encounter this issue, as this technique is already used), using a SVG sprite file from CSS:
sprite-for-css-only.svg
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="16" height="16" viewBox="0 0 16 16">
<style>
use { display: none; }
use:target { display: block; }
.white { fill: #fff; }
.black { fill: #000; }
</style>
<symbol id="symbol-search">
<path d="M9.6,8.89a4.47,4.47,0,0,0,1-2.83,4.56,4.56,0,1,0-4.56,4.56,4.47,4.47,0,0,0,2.83-1l4.26,4.25.7-.7Zm-3.54.73A3.56,3.56,0,1,1,9.62,6.06,3.57,3.57,0,0,1,6.06,9.62Z"></path>
</symbol>
<symbol id="symbol-carret">
<path d="M7.782 9.356l-4.44-4.111-.75.694 5.19 4.805 5.19-4.805-.749-.694z"/>
</symbol>
<use id="css-search" xlink:href="#symbol-search" class="black" />
<use id="css-carret" xlink:href="#symbol-carret" class="black" />
</svg>
and referring to it from CSS via: background: url("/assets/img/sprite-for-css-only.svg#css-search") 6px 50% no-repeat;
It should display only the use
specified, which is a quite smart and useful.
My CSP headers are set up not to allow unsafe-inline
CSS, and the inlne styles of the SVG files are blocked (which goes to display all SVG paths) :(
I've found a stupid workaround by adding a hash in style-src
directive (a nonce works also, but as it is in a static SVG file, not a good idea).
Please fix this, this is a really annoying bug.
Comment hidden (me-too) |
Comment 35•5 years ago
|
||
I have a case of the website branding losing its color. This is a very significant issue, it is not acceptable that svg's lose their color, webdevs are forced to lose up CSP as long as this bug exists.
Case: https://ffscoiety.nl
That website is still in development and what we see is a placeholder, but as you can see an important choice is coming up, it can't go into production like that. The SVG should have a distinct blue gradient.
Point I am trying to make: This is indeed a high priority issue, it forces developers to lose up their security. Kindly suggest bumping priority higher than P3.
Reporter | ||
Comment 36•5 years ago
|
||
Note that if you disable CSP on SVG images, it will display properly while still giving you full security. See the first post for how.
Comment 37•5 years ago
|
||
You proposed workaround can be quite dangerous, as setting a header within the location block means that all other headers set previously no longer apply to svg files:
From nginx http://nginx.org/en/docs/http/ngx_http_headers_module.html :
"There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level. "
If I am not mistaken a location directive adds a new level.
Doing it your way means I devs must be aware of this and set all their headers again on location ~ .svg$
Comment 38•5 years ago
|
||
This is hitting another site, as reported at https://webcompat.com/issues/41955
The issue affects SVG images even when viewing them directly in the URL bar: https://portswigger.net/web-security/images/browser-logos/firefox.svg
I would prefer that we address this sooner rather than later, as it is not immediately obvious to someone diagnosing a webcompat issue what is happening due to the lack of console feedback (unless they already know about this bug).
Comment hidden (me-too) |
Comment hidden (me-too) |
Comment 41•5 years ago
|
||
Christoph, now that bug 965637 is fixed, what's left to do to fix this?
Assignee | ||
Comment 42•5 years ago
|
||
(In reply to Boris Zbarsky [:bzbarsky] from comment #41)
Christoph, now that bug 965637 is fixed, what's left to do to fix this?
There is nothing left to fix this. Seems bug 965637 took care of it. Uploading a test in a minute.
Assignee | ||
Comment 43•5 years ago
|
||
Updated•5 years ago
|
Comment 44•5 years ago
|
||
The initial bug report here involved a site-wide CSP delivered via HTTP headers, including for SVG images, no? So that test is not testing the initial bug report's setup...
Assignee | ||
Comment 45•5 years ago
|
||
(In reply to Boris Zbarsky [:bzbarsky] from comment #44)
The initial bug report here involved a site-wide CSP delivered via HTTP headers, including for SVG images, no? So that test is not testing the initial bug report's setup...
I agree, the test is using a meta CSP and does not rely on an http header delivered CSP. FWIW, I flagged April (the reporter) for review on the test and also pinged her on slack - but I am happy to update the test if needed.
Reporter | ||
Comment 46•5 years ago
|
||
I just tested on my website, and Nightly doesn't seem to be working.
If there is a CSP delivered on SVG file loaded in the context of a webpage, it still blocks the use of inline styles inside them.
Assignee | ||
Comment 47•5 years ago
|
||
(In reply to April King [:April] from comment #46)
I just tested on my website, and Nightly doesn't seem to be working.
If there is a CSP delivered on SVG file loaded in the context of a webpage, it still blocks the use of inline styles inside them.
Ah, so my testcase is wrong in the end. The SVG itself is served using a CSP not allowing inline style. I thought the SVG incorrecty inherits the CSP from the loading document. So there is still a bug. Since I am already on it, I will rewrite my automated testcase and fix that. Thanks Boris and April!
Assignee | ||
Comment 48•5 years ago
|
||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Comment 50•5 years ago
|
||
Comment 51•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Description
•