Open Bug 1358106 Opened 6 years ago Updated 6 months ago
Object doesn't display images with inlined styles when CSP is enabled
(Core :: DOM: Security, defect, P3)
(Reporter: flapengemail, Unassigned)
4.21 KB, text/html
901 bytes, application/zip
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 YaBrowser/18.104.22.1684 (beta) Yowser/2.5 Safari/537.36 Steps to reproduce: Take a page with style-src 'nonce-...' CSP. Try to load svg with foreignObject with inlined styles. (https://gist.github.com/flapenguin/3b6045c9e81e7a95e0ea7cf9a74e9647) Actual results: foreignObject is empty, CSP errors about inline styles reported to console. As far as I know there's no other way to specify styles in foreignObject. Expected results: foreignObject should render correctly. I found two workarounds: - add 'unsafe-inline' to CSP. That's not very useful, since it requires to remove 'nonce-...'. (comment/uncomment meta with CSP) - use style tag inside of foreignObject with nonce to define styles (add/remove ?style to url)
6 years ago
Thanks for reporting. Let me explain, within Firefox we use principals to define the security context. My guess is that in this case we are incorrectly inherit the principal and hence also incorrectly inherit the CSP with it, which causes Firefox to block the style. For now I have to put that in the backlog though because of resource constraints.
Priority: -- → P3
6 years ago
There's a same problem with SVG without any foreignObject elements, but with CSS styling. If a page doesn't have 'nonce-...' CSP source in style-src (which can be added to style element inside SVG) or 'unsafe-inline' (to set styles in elements' attribute) then it's impossible to use CSS for styling in blob: or data: SVGs.
8 months ago
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.