Re: Rate SVG resources to CSP directive from Renata Hodovan on 2012-02-07 (public-webappsec@w3.org from February 2012)

From: Renata Hodovan <hodovan@inf.u-szeged.hu>
Date: Tue, 07 Feb 2012 16:10:08 +0100
To: public-webappsec@w3.org
Message-ID: <4F313ED0.2000306@inf.u-szeged.hu>

Hi Folks,

for lack of any answer I tried to figure out myself what should we do in 
this case. Since I'm not an expert in CSP I'm not sure whether they 
prove anything at all.

The first thing is in CSP standard:
" The|img-src|directive defines the list of sources that are permitted 
to load|<img>|elements and shortcut icons, or favicons."
Since <img> can refer svg resources I guess they are handled similar 
way. Am I wrong?

Secondly I was fumbling in firefox's source code and in their bugzilla. 
Here are the bugs which could be touched in this question IMO:
https://bugzilla.mozilla.org/show_bug.cgi?id=269482 - Allow <svg:use> to 
reference elements in other documents
https://bugzilla.mozilla.org/show_bug.cgi?id=276431 - external SVG not 
loaded from img tag

Furthermore the source of nsDataDocumentContentPolicy::ShouldLoad() 
contains the following:

100   if (doc->IsBeingUsedAsImage()) {
101     // We only allow SVG images to load content from URIs that are 
local and
102     // also satisfy one of the following conditions:
103     //  - URI inherits security context, e.g. data URIs
104     //   OR
105     //  - URI loadable by subsumers, e.g. blob URIs
106     // Any URI that doesn't meet these requirements will be rejected 
below.

This intimated me that SVG images are handled as images.
Link to this file: 
http://dxr.mozilla.org/mozilla/mozilla-central/content/base/src/nsDataDocumentContentPolicy.cpp.html

As I mentioned earlier I'm familiar neither in firefox nor in CSP. But I 
hope that the things above will help somebody to give us the correct answer.

Thanks in advance,
Reni
<http://mxr.mozilla.org/mozilla-central/source/image/src/SVGDocumentWrapper.cpp#263><http://dxr.mozilla.org/mozilla/mozilla-central/image/src/SVGDocumentWrapper.cpp.html>



2012-02-02 23:14 keltezéssel, Adam Barth írta:
> dveditz,
>
> Do you know how Firefox handles this kind of resource currently?
>
> Adam
>
>
> 2012/2/1 Renata Hodovan<hodovan@inf.u-szeged.hu>:
>> Hi All,
>>
>> my name is Renata Hodovan and I work on WebKit. I'd like to add external
>> resource support to SVGUseElement. During this I faced a problem. We should
>> rate this new resource under a Content-Security-Policy directive. So the
>> question is which one should it belong to? Currently I added it to the image
>> directive. Is it right?
>> You can find the bug here: https://bugs.webkit.org/show_bug.cgi?id=12499
>>
>> Thanks in advance,
>> Reni
>>

Received on Tuesday, 7 February 2012 15:14:01 UTC