Closed Bug 1405725 Opened 7 years ago Closed 6 years ago

Firefox CSP blocks SVG document styling without warning in the web console

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

RESOLVED DUPLICATE of bug 1262842

People

(Reporter: mikehenrty, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog1])

+++ This bug was initially created as a clone of Bug #1405280 +++

In bug 1405280, I reported an SVG displaying improperly on my website in Firefox (the problem didn't happen in Chrome). It turns out that my CSP, which restricted style-src to 'self', was blocking inline styles embedded in the SVG.

According to :heycam, Firefox is doing the right thing and the bug is actually in Chrome. What would be useful to me as a web developer is a warning in the web console letting me know that some styles were blocked due to CSP. I had no idea that SVG contained inline styles, so this would help educate people like me and avoid erroneous bug reports in the future.
Are you viewing the SVG file directly or via an <img> or background-image CSS etc. I think we warn if you view SVG files directly but not if you display SVG as an image.
Flags: needinfo?(mhenretty)
(In reply to Robert Longson from comment #1)
> Are you viewing the SVG file directly or via an <img> or background-image
> CSS etc. I think we warn if you view SVG files directly but not if you
> display SVG as an image.

Yeah, we were loading it via an <img src="logo.svg" />. It contains the offending inline style: attachment 8914712 [details].

Indeed, if you load only the SVG image you get this nice warning:
> Content Security Policy: The page’s settings blocked the loading of a resource at self (“style-src http://localhost:9000”). Source: .cls-1{fill:none;}.cls-2{fill:#fff;}.
> cv-logo-bw-dl.svg:1

But when loaded via the image tag, no warning. At first glance, this makes Firefox look broken compared to Chrome even though the reverse is actually true. The same message as above would be helpful here.

Note, we worked around this on the live site by using the handy nonce feature.
Flags: needinfo?(mhenretty)
I am confused, in part because everything seems to be working fine now. I do not see the CSP warning when opening the attachment (makes sense: where would the CSP come from?). I don't see a CSP warning when opening the SVG using a test link I dug out of the other bug, but maybe it's been changed?

Does the SVG itself have a CSP? 

It's not clear to me whether heycam is correct that Firefox'a CSP behavior is correct. Like I said I'm not confident I'm interpreting the setup correctly, but an <img src=svg> should be its own document and not pick up the containing document's CSP. In fact that could in theory be used as an attack, although we don't allow scripts in <img svg> so it's limited. in-line SVG, on the other hand, is definitely covered by the document's CSP because it is in that document.
Flags: needinfo?(mhenretty)
(In reply to Daniel Veditz [:dveditz] from comment #3)
> I do not see the CSP warning when opening the attachment (makes sense: where
> would the CSP come from?).

Right, opening a local file has no CSP.

> I don't see a CSP warning when opening the SVG
> using a test link I dug out of the other bug, but maybe it's been changed?

Yeah, we added a nonce to allow the inline styles for that document. Try loading that svg file from a server that blocks inline styles.

> 
> Does the SVG itself have a CSP?

No, it only has an inline style.

> 
> It's not clear to me whether heycam is correct that Firefox'a CSP behavior
> is correct. Like I said I'm not confident I'm interpreting the setup
> correctly, but an <img src=svg> should be its own document and not pick up
> the containing document's CSP. 

Even if it's it's own document, it is still loaded from the same server which has the CSP, and that CSP should (IMO) apply to all documents loaded from that domain.


>  In fact that could in theory be used as an
> attack, although we don't allow scripts in <img svg> so it's limited.
> in-line SVG, on the other hand, is definitely covered by the document's CSP
> because it is in that document.

The problem is inline styles (CSS) contained within the SVG. I cannot comment on the security risk of that.
Flags: needinfo?(mhenretty)
I'll mark this Bug blocking Bug 1242016. Within Bug 1242016 we are trying to make web console logging more sophisticated and this bug falls exactly into that line.
Blocks: 242016
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
(In reply to Michael Henretty [:mikehenrty][:mhenretty] from comment #4)
> > Does the SVG itself have a CSP?
> 
> No, it only has an inline style.

It doesn't internally, but from what you've said it is _served_ with a CSP header which means it DOES.

In which case we're doing the right thing (the SVG image document obeys it's own CSP, which in theory could be different from the page's CSP).

_THIS_ bug is about the fact that we're not issuing useful warnings. It probably showed up on the Browser console, but nobody ever checks there and the page's web console would be more appropriate.
Blocks: csp-console-logging
No longer blocks: 242016
No longer blocks: csp-console-logging
Status: NEW → RESOLVED
Closed: 6 years ago
OS: Linux → All
Hardware: x86_64 → All
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.