svg xlink:href webRequest should be classified as image, not other
Categories
(WebExtensions :: Request Handling, enhancement)
Tracking
(Not tracked)
People
(Reporter: alex_y_xu, Unassigned, NeedInfo)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
on gitlab, using umatrix, allow all but "other" requests.
Actual results:
icons are not displayed
Expected results:
icons are displayed
imo, if <use href> has the same security properties as <img src>, it should be treated the same for webRequests.
I also just checked in Chromium 81, and the gitlab icons display correctly as long as "image" is allowed.
|
||
Comment 2•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 3•4 years ago
|
||
I created a minimal extension that logs every request, opened gitlab.com (redirected to about.gitlab.com) but don't see any request of type "other".
I looked in the source code of gitlab.com, but don't see any <svg> with an image that uses xlink:href. Could you be a bit more specific on which image is affected?
about.gitlab.com doesn't have any icons... you need to go to the actual gitlab application, like https://gitlab.com/mozilla.
|
|
||
Comment 5•4 years ago
|
||
The relevant SVG at https://gitlab.com/mozilla is:
<svg class="s16 search-icon"><use xlink:href="https://gitlab.com/assets/icons-91a4dccf30ab8eaba275191ffd3b52d0d5c59311adf85eddc5464e8e3eca5360.svg#search"></use></svg>
This is type "other" because is says so in ExternalResourceMap::PendingLoad::StartLoad, with the next call stack:
ExternalResourceMap::PendingLoad::StartLoad-NS_NewChannel(... aRequestingNode ... nsIContentPolicy::TYPE_OTHERExternalResourceMap::RequestResource-load->StartLoad(clone, aReferrerInfo, aRequestingNode)Document::RequestExternalResource-.RequestResource(aURI, aReferrerInfo, aRequestingNode, this, aPendingLoad)IDTracker::ResetToURIFragmentID-doc->RequestExternalResource(aURI, aReferrerInfo, aFromContent, load);SVGUseElement::LookupHref-mReferencedElementTracker.ResetToURIFragmentID(this, targetURI, referrerInfo);SVGUseElement::UpdateShadowTree-LookupHref();
To get "image" to appear in the webRequest API, TYPE_OTHER should be changed to TYPE_IMAGE. Since the referenced methods are also used by others, this change must be conditional. Possibly by querying the aRequestingNode parameter inside StartLoad, or perhaps by adding an extra parameter to the methods and forwarding the value through calls starting from SVGUseElement.
Cameron, what do you suggest here?
|
||
Comment 6•4 years ago
|
||
I just saw https://github.com/whatwg/fetch/issues/1012, which is relevant here. Chrome/Safari seem to treat xlink:href as images for everything including CSP.
|
||
Comment 7•3 years ago
|
||
Apologies for overlook this needinfo. Daniel, maybe you can answer comment 5?
|
||
Updated•2 years ago
|
Description
•