Inline style in SVG is disabled with CSP

RESOLVED DUPLICATE of bug 1262842

Status

()

defect
RESOLVED DUPLICATE of bug 1262842
3 years ago
3 years ago

People

(Reporter: jehan, Unassigned)

Tracking

49 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20160919122641

Steps to reproduce:

We recently implemented CSP on gimp.org the most secure way, i.e. without 'unsafe-inline': https://observatory.mozilla.org/analyze.html?host=www.gimp.org


Actual results:

We have a small Wilber icon in the top (just left to "GIMP" item in the top black bar) and it ends up black (hence barely visible) because the style is fully inline (as any SVG file straight out of Inkscape): https://www.gimp.org/

It was not spotted until today (SVG images passed under the inline script/css cleaning radar).
https://bugzilla.gnome.org/show_bug.cgi?id=773364


Expected results:

I checked the CSP spec and according to section "3.6 Policy Applicability", when a SVG is embedded via <img>:

> No policy; should be just as safe as JPG

https://www.w3.org/TR/CSP11/#which-policy-applies
So if not mistaken, in our case, since the Wilber icon is indeed included as <img>, Firefox should not apply any policy on the subresource, hence it should apply the inline CSS in the SVG icon.

Updated

3 years ago
Component: Untriaged → DOM: Security
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1262842
You need to log in before you can comment on or make changes to this bug.