Closed
Bug 1493735
Opened 6 years ago
Closed 6 years ago
CSP without "style-src" blocks svg images loaded with <img>
Categories
(Core :: SVG, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1262842
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | fix-optional |
People
(Reporter: michiel, Unassigned)
Details
(Keywords: regression, regressionwindow-wanted)
Something changed in nightly that's now causing CSP that doesn't explicitly allow style-src to now also erroneously forbid SVG images (which are by definition inline styled) when loading them with an <img> tag.
This breaks quite a few websites that use SVG images for icons etc =)
|
||
Comment 1•6 years ago
|
||
If it changed recently you should be able to get a regression range with https://mozilla.github.io/mozregression/.
Flags: needinfo?(pomax)
|
||
Comment 2•6 years ago
|
||
Also, could you provide a URL that's affected (whose images fail to load in Nightly)?
|
||
Updated•6 years ago
|
Keywords: regression,
regressionwindow-wanted
|
|
||
Comment 3•6 years ago
|
||
Not totally sure we can get a regression window without a testcase.
|
||
Comment 4•6 years ago
|
||
I wrote some quick tests:
1. https://mcc.id.au/2018/09/image-csp-style-none.html
2. https://mcc.id.au/2018/09/image-csp-style-none-style-attr.html
3. https://mcc.id.au/2018/09/image-csp-style-none-pres-attr.html
These are SVGs referenced through an <img>, with the rect style specified in different ways, and all with a "style-src 'none'" CSP set through a header on the SVG resource.
In Firefox, tests #1 and #3 show a black rect, and #2 shows a green rect. I don't think this is a recent change -- I tested a 2016-01-01 build and it showed the same.
In Chrome, Safari, and Edge, all three show a green rect.
pomax, can you confirm this is the issue?
|
|
||
Updated•6 years ago
|
Priority: -- → P3
|
|
||
Comment 5•6 years ago
|
||
Christian, could you confirm that Firefox's behavior in the test cases in comment 4 are correct, given that we are different from the other browsers here?
Flags: needinfo?(ckerschb)
|
|
||
Comment 6•6 years ago
|
||
See also bug 1262842 comment 4 onwards. This bug may be a duplicate of that one.
|
|
||
Comment 7•6 years ago
|
||
Ah, Christopher's comment 4 there answers my question exactly, thanks.
If the reporter confirms this is the same issue, we can dupe it there.
Flags: needinfo?(ckerschb)
Sorry for the radio silence, I didn't have the opportunity to respond earlier. Cameron did a fine job with the test cases: we have style-src set to 'self' but the effect is the same as his tests.
Flags: needinfo?(pomax)
|
|
||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
|
||
Comment 10•6 years ago
|
||
Tracking this over in bug 1262842.
You need to log in
before you can comment on or make changes to this bug.
Description
•