CSP blocks SVG imported with USE
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: bugzilla.mozilla.org, Unassigned)
Details
Attachments
(3 files)
svg for reproduction
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0
Steps to reproduce:
Consider the following HTML example that imports an SVG symbol using USE.
<svg><use href="test.svg#symbol"></svg>
Now consider the following Content-Security-Policy, where the default directive is 'none', but images from 'self' are allowed.
default-src 'none'; img-src 'self'
The SVG image is hosted on the same domain as the HTML.
Actual results:
Loading of the SVG image is blocked, with the following message on the console:
Content-Security-Policy: The page’s settings blocked the loading of a resource at https://.../test.svg (“default-src”).
Expected results:
The SVG image should have been loaded (and shown), because CSP img-src is set to 'self'. It should not matter what default-src is set to.
I have tested this issue in Chromium and mobile Safari, both load the image as expected.
Interestingly, when default-src is set to 'self', the SVG loads, even with all CSP directives set to 'none'.
There might be issues with SVG inline style, but that's not why the image is blocked from loading.
|
Reporter | |
Comment 1•1 year ago
|
||
|
|
Reporter | |
Comment 2•1 year ago
|
||
|
|
Reporter | |
Comment 3•1 year ago
|
||
|
||
Comment 4•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 5•1 year ago
•
|
||
This is not specified and as a result Chrome and Firefox behaviour differs.
Description
•