W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Re: Rate SVG resources to CSP directive

From: Renata Hodovan <hodovan@inf.u-szeged.hu>
Date: Thu, 09 Feb 2012 16:42:30 +0100
Message-ID: <4F33E966.9010307@inf.u-szeged.hu>
To: public-webappsec@w3.org
Hi Adam,

thanks for your advice. I tried it out on WebKit in the WK-specific format:

X-WebKit-CSP: default-src *; img-src 'none'

Just by this directive was the source invisible and this proves our 
suspicion that these SVG resources belong to img-src directive :)

See you on the bug ;)

Reni

2012-02-07 19:51 keltezéssel, Adam Barth írta:
> You should be able to test it directly if you have an SVG document
> that uses<svg:use>.  Just serve it with a CSP policy:
>
> X-Content-Security-Policy: default-src *; img-src 'none'
>
> You can try to various directives to see which blocks the load.
>
> Adam
>
>
> On Tue, Feb 7, 2012 at 7:10 AM, Renata Hodovan<hodovan@inf.u-szeged.hu>  wrote:
>> Hi Folks,
>>
>> for lack of any answer I tried to figure out myself what should we do in
>> this case. Since I'm not an expert in CSP I'm not sure whether they prove
>> anything at all.
>>
>> The first thing is in CSP standard:
>> " The img-src directive defines the list of sources that are permitted to
>> load<img>  elements and shortcut icons, or favicons."
>> Since<img>  can refer svg resources I guess they are handled similar way. Am
>> I wrong?
>>
>> Secondly I was fumbling in firefox's source code and in their bugzilla. Here
>> are the bugs which could be touched in this question IMO:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=269482 - Allow<svg:use>  to
>> reference elements in other documents
>> https://bugzilla.mozilla.org/show_bug.cgi?id=276431 - external SVG not
>> loaded from img tag
>>
>> Furthermore the source of nsDataDocumentContentPolicy::ShouldLoad() contains
>> the following:
>>
>> 100   if (doc->IsBeingUsedAsImage()) {
>> 101     // We only allow SVG images to load content from URIs that are local
>> and
>> 102     // also satisfy one of the following conditions:
>> 103     //  - URI inherits security context, e.g. data URIs
>> 104     //   OR
>> 105     //  - URI loadable by subsumers, e.g. blob URIs
>> 106     // Any URI that doesn't meet these requirements will be rejected
>> below.
>>
>> This intimated me that SVG images are handled as images.
>> Link to this file:
>> http://dxr.mozilla.org/mozilla/mozilla-central/content/base/src/nsDataDocumentContentPolicy.cpp.html
>>
>> As I mentioned earlier I'm familiar neither in firefox nor in CSP. But I
>> hope that the things above will help somebody to give us the correct answer.
>>
>> Thanks in advance,
>> Reni
>>
>>
>>
>>
>> 2012-02-02 23:14 keltezéssel, Adam Barth írta:
>>
>> dveditz,
>>
>> Do you know how Firefox handles this kind of resource currently?
>>
>> Adam
>>
>>
>> 2012/2/1 Renata Hodovan<hodovan@inf.u-szeged.hu>:
>>
>> Hi All,
>>
>> my name is Renata Hodovan and I work on WebKit. I'd like to add external
>> resource support to SVGUseElement. During this I faced a problem. We should
>> rate this new resource under a Content-Security-Policy directive. So the
>> question is which one should it belong to? Currently I added it to the image
>> directive. Is it right?
>> You can find the bug here: https://bugs.webkit.org/show_bug.cgi?id=12499
>>
>> Thanks in advance,
>> Reni
>>
>>
Received on Thursday, 9 February 2012 15:43:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 9 February 2012 15:43:01 GMT