W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Re: Rate SVG resources to CSP directive

From: Renata Hodovan <hodovan@inf.u-szeged.hu>
Date: Tue, 07 Feb 2012 16:10:08 +0100
Message-ID: <4F313ED0.2000306@inf.u-szeged.hu>
To: public-webappsec@w3.org
Hi Folks,

for lack of any answer I tried to figure out myself what should we do in 
this case. Since I'm not an expert in CSP I'm not sure whether they 
prove anything at all.

The first thing is in CSP standard:
" The|img-src|directive defines the list of sources that are permitted 
to load|<img>|elements and shortcut icons, or favicons."
Since <img> can refer svg resources I guess they are handled similar 
way. Am I wrong?

Secondly I was fumbling in firefox's source code and in their bugzilla. 
Here are the bugs which could be touched in this question IMO:
https://bugzilla.mozilla.org/show_bug.cgi?id=269482 - Allow <svg:use> to 
reference elements in other documents
https://bugzilla.mozilla.org/show_bug.cgi?id=276431 - external SVG not 
loaded from img tag

Furthermore the source of nsDataDocumentContentPolicy::ShouldLoad() 
contains the following:

100   if (doc->IsBeingUsedAsImage()) {
101     // We only allow SVG images to load content from URIs that are 
local and
102     // also satisfy one of the following conditions:
103     //  - URI inherits security context, e.g. data URIs
104     //   OR
105     //  - URI loadable by subsumers, e.g. blob URIs
106     // Any URI that doesn't meet these requirements will be rejected 
below.

This intimated me that SVG images are handled as images.
Link to this file: 
http://dxr.mozilla.org/mozilla/mozilla-central/content/base/src/nsDataDocumentContentPolicy.cpp.html

As I mentioned earlier I'm familiar neither in firefox nor in CSP. But I 
hope that the things above will help somebody to give us the correct answer.

Thanks in advance,
Reni
<http://mxr.mozilla.org/mozilla-central/source/image/src/SVGDocumentWrapper.cpp#263><http://dxr.mozilla.org/mozilla/mozilla-central/image/src/SVGDocumentWrapper.cpp.html>



2012-02-02 23:14 keltezéssel, Adam Barth írta:
> dveditz,
>
> Do you know how Firefox handles this kind of resource currently?
>
> Adam
>
>
> 2012/2/1 Renata Hodovan<hodovan@inf.u-szeged.hu>:
>> Hi All,
>>
>> my name is Renata Hodovan and I work on WebKit. I'd like to add external
>> resource support to SVGUseElement. During this I faced a problem. We should
>> rate this new resource under a Content-Security-Policy directive. So the
>> question is which one should it belong to? Currently I added it to the image
>> directive. Is it right?
>> You can find the bug here: https://bugs.webkit.org/show_bug.cgi?id=12499
>>
>> Thanks in advance,
>> Reni
>>
Received on Tuesday, 7 February 2012 15:14:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 7 February 2012 15:14:02 GMT