923392 - CSP blocks inline stylesheets in SVG (Firefox renders SVG not correctly when fetched from certain server (maybe config issue?))

Status: RESOLVED WORKSFORME

(Firefox :: Untriaged, defect)

Description

[Lewin Bormann]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 Iceweasel/25.0 (Beta/Release)
Build ID: 20130928100402

Steps to reproduce:

Load this file: http://new.list-gymnasium.de/assets/layout/img/svg/header-bg.svg


Actual results:

Instead of a blueish color gradient, the SVG is rendered completely black.


Expected results:

However, when the exactly same file (sha1 should be b5d4549...) is loaded

1. from Hard Disk/local storage
2. from another server (http://lbo.spheniscida.de/header-bg.svg)
3. using Chrome

it's displayed correctly. I checked the HTTP headers for obvious mistakes, but the file is delivered as image/svg+xml from both servers. Maybe you detect something? The headers accompanying the not-working file are here: http://paste.debian.net/49298/
The working-file headers here: http://paste.debian.net/49299/

This problem first appeared with Firefox 24 on Debian GNU/Linux amd64, with many add-ons installed. It still is there with Firefox 25 and a "vanilla" (i.e. without any add-ons, new profile) installation of Firefox 24 on Ubuntu Raring amd64 (virtualized).

The SVG file was created using Inkscape and back then saved as "Plain SVG". Inkscape renders the file correctly, and so does the renderer used by the GTK file preview and eog (dunno what exactly it is - some GTK+ parts??)

Comment 1

[Robert Longson [:longsonr]]

The defs element is incorrectly written as <defs rather than <defs>.

Comment 2

[Lewin Bormann]

That doesn't answer the question why the SVG is rendered different when loading from different servers?

Comment 3

[Robert Longson [:longsonr]]

When you save it you're probably inadvertently correcting the file somehow.

Comment 4

[Lewin Bormann]

The file on the disk and the one on the servers are exactly the same.

Comment 5

[Robert Longson [:longsonr]]

Perhaps you're serving it with a different mime type then? Error correcting of text/html files is likely different.

Comment 6

[Lewin Bormann]

Did you even read my report!? The mime type is the same for both servers!

Comment 7

[Robert Longson [:longsonr]]

The document as you've provided it is displayed as it should. Do you have a something online we can check otherwise there's nothing we can do here.

Comment 8

[Robert Longson [:longsonr]]

Well it's odd but as the file is invalid I don't think we're likely to spend much time on this. Just correct the file, pretty much all the tags are invalid they're all <xxx rather than <xxx>

Comment 9

[Lewin Bormann]

A bit more time, please. You obviously DID NOT READ THAT SVG!!! The line says

 <defs
     id="defs3059">

That ACTUALLY is correct.

Comment 10

[Robert Longson [:longsonr]]

Sorry about that, I misread the text.

Somehow the <rect> style loads in the one case but doesn't in the other.

Comment 11

[Lewin Bormann]

Thank you.

Comment 12

[Alex]

The non working file has a content security policy header (with style-src 'self'), while the working file doesn't have that header.