Re: Rate SVG resources to CSP directive from Adam Barth on 2012-02-07 (public-webappsec@w3.org from February 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 7 Feb 2012 10:51:47 -0800
To: Renata Hodovan <hodovan@inf.u-szeged.hu>
Cc: public-webappsec@w3.org
Message-ID: <CAJE5ia98yEYNOwzmjCNnN7mxWm3vfdOvjMCJMj_cuypRSr1mBA@mail.gmail.com>

You should be able to test it directly if you have an SVG document
that uses <svg:use>.  Just serve it with a CSP policy:

X-Content-Security-Policy: default-src *; img-src 'none'

You can try to various directives to see which blocks the load.

Adam


On Tue, Feb 7, 2012 at 7:10 AM, Renata Hodovan <hodovan@inf.u-szeged.hu> wrote:
> Hi Folks,
>
> for lack of any answer I tried to figure out myself what should we do in
> this case. Since I'm not an expert in CSP I'm not sure whether they prove
> anything at all.
>
> The first thing is in CSP standard:
> " The img-src directive defines the list of sources that are permitted to
> load <img> elements and shortcut icons, or favicons."
> Since <img> can refer svg resources I guess they are handled similar way. Am
> I wrong?
>
> Secondly I was fumbling in firefox's source code and in their bugzilla. Here
> are the bugs which could be touched in this question IMO:
> https://bugzilla.mozilla.org/show_bug.cgi?id=269482 - Allow <svg:use> to
> reference elements in other documents
> https://bugzilla.mozilla.org/show_bug.cgi?id=276431 - external SVG not
> loaded from img tag
>
> Furthermore the source of nsDataDocumentContentPolicy::ShouldLoad() contains
> the following:
>
> 100   if (doc->IsBeingUsedAsImage()) {
> 101     // We only allow SVG images to load content from URIs that are local
> and
> 102     // also satisfy one of the following conditions:
> 103     //  - URI inherits security context, e.g. data URIs
> 104     //   OR
> 105     //  - URI loadable by subsumers, e.g. blob URIs
> 106     // Any URI that doesn't meet these requirements will be rejected
> below.
>
> This intimated me that SVG images are handled as images.
> Link to this file:
> http://dxr.mozilla.org/mozilla/mozilla-central/content/base/src/nsDataDocumentContentPolicy.cpp.html
>
> As I mentioned earlier I'm familiar neither in firefox nor in CSP. But I
> hope that the things above will help somebody to give us the correct answer.
>
> Thanks in advance,
> Reni
>
>
>
>
> 2012-02-02 23:14 keltezéssel, Adam Barth írta:
>
> dveditz,
>
> Do you know how Firefox handles this kind of resource currently?
>
> Adam
>
>
> 2012/2/1 Renata Hodovan <hodovan@inf.u-szeged.hu>:
>
> Hi All,
>
> my name is Renata Hodovan and I work on WebKit. I'd like to add external
> resource support to SVGUseElement. During this I faced a problem. We should
> rate this new resource under a Content-Security-Policy directive. So the
> question is which one should it belong to? Currently I added it to the image
> directive. Is it right?
> You can find the bug here: https://bugs.webkit.org/show_bug.cgi?id=12499
>
> Thanks in advance,
> Reni
>
>

Received on Tuesday, 7 February 2012 18:55:52 UTC