- From: Ted Mielczarek <ted@mozilla.com>
- Date: Thu, 17 Apr 2014 08:30:39 -0400
- To: public-webappsec@w3.org
I've found a CSP implementation difference between Firefox and Chrome regarding the display of SVG-in-img-tag. I'm not intimately familiar with the CSP spec and a cursory reading didn't provide any insight as to which browser was correct. The difference shows on this github README of mine which contains an img tag with an SVG src: https://github.com/luser/gamepad-data/blob/0febaaa104aea2f58a2497b8fe8dfc4019397116/README.md In Firefox (Windows Nightly 31.0a1 (2014-04-16)) the SVG renders all-black. In Chrome Canary (Windows 36.0.1942.0) the SVG renders as expected. GitHub is serving the SVG from a CDN which sends a restrictive CSP header: https://camo.githubusercontent.com/5106ad82a5460814243f93e5d0d9f91856ac1226/687474703a2f2f6c757365722e6769746875622e696f2f67616d657061642d646174612f67616d657061642e737667 Content-Security-Policy: default-src 'none' Loading the SVG by itself renders all-black in both Firefox and Chrome, which is expected because it uses inline styles. The GitHub page the img is embedded in sends a less-restrictive CSP header: Content-Security-Policy: default-src *; script-src https://github.global.ssl.fastly.net https://ssl.google-analytics.com https://collector-cdn.github.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://github.global.ssl.fastly.net; object-src https://github.global.ssl.fastly.net It appears that Chrome is applying the CSP from the top-level page's response to the SVG document, whereas Firefox is applying the CSP from the SVG document's response. Which behavior is correct here? -Ted
Received on Thursday, 17 April 2014 12:31:07 UTC