Closed Bug 1312240 Opened 8 years ago Closed 8 years ago

Inline style in SVG is disabled with CSP

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
49 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1262842

People

(Reporter: jehan, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 Build ID: 20160919122641 Steps to reproduce: We recently implemented CSP on gimp.org the most secure way, i.e. without 'unsafe-inline': https://observatory.mozilla.org/analyze.html?host=www.gimp.org Actual results: We have a small Wilber icon in the top (just left to "GIMP" item in the top black bar) and it ends up black (hence barely visible) because the style is fully inline (as any SVG file straight out of Inkscape): https://www.gimp.org/ It was not spotted until today (SVG images passed under the inline script/css cleaning radar). https://bugzilla.gnome.org/show_bug.cgi?id=773364 Expected results: I checked the CSP spec and according to section "3.6 Policy Applicability", when a SVG is embedded via <img>: > No policy; should be just as safe as JPG https://www.w3.org/TR/CSP11/#which-policy-applies So if not mistaken, in our case, since the Wilber icon is indeed included as <img>, Firefox should not apply any policy on the subresource, hence it should apply the inline CSS in the SVG icon.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.