CSP style-src enforced even for style attributes within SVG images loaded from img tag

RESOLVED DUPLICATE of bug 1262842

Status

()

defect
RESOLVED DUPLICATE of bug 1262842
2 years ago
2 years ago

People

(Reporter: S.N.Maijers, Unassigned)

Tracking

56 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20171009141542

Steps to reproduce:

Visit https://www.structure.systems/en-GB.html .


Actual results:

The top right logo renders black.

This HTML tag produces the problem:

```html
<img title="Structure Systems logo" alt="Structure Systems logo" src="https://www.structure.systems/media/Logo-Structure-Systems.svg" class="stretch_height">
```

This seems to be mediated by this CSP header:
```
content-security-policy: default-src 'none'; img-src 'self'; font-src 'self'; child-src 'self'; frame-src 'self'; worker-src 'self'; object-src 'self'; style-src 'self'; block-all-mixed-content;
```


Expected results:

The image should be rendered properly, as observed using Chromium.

Here, SVG is used [as an image](https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image). It is required to use inline styles.
Is this a duplicate of bug 1262842
Component: Untriaged → DOM: Security
Product: Firefox → Core
Reporter

Comment 2

2 years ago
(In reply to Robert Longson [:longsonr] from comment #1)
> Is this a duplicate of bug 1262842

It seems so! I didn't manage to discover that report myself.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1262842
You need to log in before you can comment on or make changes to this bug.