W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

[CSP] SVG-in-img implementation difference

From: Ted Mielczarek <ted@mozilla.com>
Date: Thu, 17 Apr 2014 08:30:39 -0400
Message-ID: <534FC96F.1090802@mozilla.com>
To: public-webappsec@w3.org
I've found a CSP implementation difference between Firefox and Chrome
regarding the display of SVG-in-img-tag. I'm not intimately familiar
with the CSP spec and a cursory reading didn't provide any insight as to
which browser was correct. The difference shows on this github README of
mine which contains an img tag with an SVG src:
https://github.com/luser/gamepad-data/blob/0febaaa104aea2f58a2497b8fe8dfc4019397116/README.md

In Firefox (Windows Nightly 31.0a1 (2014-04-16)) the SVG renders
all-black. In Chrome Canary (Windows 36.0.1942.0) the SVG renders as
expected.

GitHub is serving the SVG from a CDN which sends a restrictive CSP header:
https://camo.githubusercontent.com/5106ad82a5460814243f93e5d0d9f91856ac1226/687474703a2f2f6c757365722e6769746875622e696f2f67616d657061642d646174612f67616d657061642e737667
Content-Security-Policy: default-src 'none'

Loading the SVG by itself renders all-black in both Firefox and Chrome,
which is expected because it uses inline styles. The GitHub page the img
is embedded in sends a less-restrictive CSP header:
Content-Security-Policy: default-src *; script-src
https://github.global.ssl.fastly.net https://ssl.google-analytics.com
https://collector-cdn.github.com; style-src 'self' 'unsafe-inline'
'unsafe-eval' https://github.global.ssl.fastly.net; object-src
https://github.global.ssl.fastly.net

It appears that Chrome is applying the CSP from the top-level page's
response to the SVG document, whereas Firefox is applying the CSP from
the SVG document's response. Which behavior is correct here?

-Ted
Received on Thursday, 17 April 2014 12:31:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC