svg xlink:href webRequest should be classified as image, not other
Categories
(WebExtensions :: Request Handling, enhancement)
Tracking
(Not tracked)
People
(Reporter: alex_y_xu, Unassigned, NeedInfo)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
on gitlab, using umatrix, allow all but "other" requests.
Actual results:
icons are not displayed
Expected results:
icons are displayed
imo, if <use href> has the same security properties as <img src>, it should be treated the same for webRequests.
I also just checked in Chromium 81, and the gitlab icons display correctly as long as "image" is allowed.
Comment 2•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Comment 3•4 years ago
|
||
I created a minimal extension that logs every request, opened gitlab.com (redirected to about.gitlab.com) but don't see any request of type "other".
I looked in the source code of gitlab.com, but don't see any <svg>
with an image that uses xlink:href
. Could you be a bit more specific on which image is affected?
about.gitlab.com doesn't have any icons... you need to go to the actual gitlab application, like https://gitlab.com/mozilla.
Comment 5•4 years ago
|
||
The relevant SVG at https://gitlab.com/mozilla is:
<svg class="s16 search-icon"><use xlink:href="https://gitlab.com/assets/icons-91a4dccf30ab8eaba275191ffd3b52d0d5c59311adf85eddc5464e8e3eca5360.svg#search"></use></svg>
This is type "other" because is says so in ExternalResourceMap::PendingLoad::StartLoad
, with the next call stack:
ExternalResourceMap::PendingLoad::StartLoad
-NS_NewChannel(... aRequestingNode ... nsIContentPolicy::TYPE_OTHER
ExternalResourceMap::RequestResource
-load->StartLoad(clone, aReferrerInfo, aRequestingNode)
Document::RequestExternalResource
-.RequestResource(aURI, aReferrerInfo, aRequestingNode, this, aPendingLoad)
IDTracker::ResetToURIFragmentID
-doc->RequestExternalResource(aURI, aReferrerInfo, aFromContent, load);
SVGUseElement::LookupHref
-mReferencedElementTracker.ResetToURIFragmentID(this, targetURI, referrerInfo);
SVGUseElement::UpdateShadowTree
-LookupHref();
To get "image" to appear in the webRequest API, TYPE_OTHER
should be changed to TYPE_IMAGE
. Since the referenced methods are also used by others, this change must be conditional. Possibly by querying the aRequestingNode
parameter inside StartLoad
, or perhaps by adding an extra parameter to the methods and forwarding the value through calls starting from SVGUseElement
.
Cameron, what do you suggest here?
Comment 6•4 years ago
|
||
I just saw https://github.com/whatwg/fetch/issues/1012, which is relevant here. Chrome/Safari seem to treat xlink:href as images for everything including CSP.
Comment 7•3 years ago
|
||
Apologies for overlook this needinfo. Daniel, maybe you can answer comment 5?
Updated•2 years ago
|
Description
•