Closed Bug 1410730 Opened 7 years ago Closed 7 years ago

CSP style-src enforced even for style attributes within SVG images loaded from img tag

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
56 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1262842

People

(Reporter: S.N.Maijers, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20171009141542

Steps to reproduce:

Visit https://www.structure.systems/en-GB.html .


Actual results:

The top right logo renders black.

This HTML tag produces the problem:

```html
<img title="Structure Systems logo" alt="Structure Systems logo" src="https://www.structure.systems/media/Logo-Structure-Systems.svg" class="stretch_height">
```

This seems to be mediated by this CSP header:
```
content-security-policy: default-src 'none'; img-src 'self'; font-src 'self'; child-src 'self'; frame-src 'self'; worker-src 'self'; object-src 'self'; style-src 'self'; block-all-mixed-content;
```


Expected results:

The image should be rendered properly, as observed using Chromium.

Here, SVG is used [as an image](https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image). It is required to use inline styles.
Is this a duplicate of bug 1262842
Component: Untriaged → DOM: Security
Product: Firefox → Core
(In reply to Robert Longson [:longsonr] from comment #1)
> Is this a duplicate of bug 1262842

It seems so! I didn't manage to discover that report myself.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.