W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

[CSP] SVG-in-img implementation difference

From: Ted Mielczarek <ted@mozilla.com>
Date: Thu, 17 Apr 2014 08:30:39 -0400
Message-ID: <534FC96F.1090802@mozilla.com>
To: public-webappsec@w3.org
I've found a CSP implementation difference between Firefox and Chrome
regarding the display of SVG-in-img-tag. I'm not intimately familiar
with the CSP spec and a cursory reading didn't provide any insight as to
which browser was correct. The difference shows on this github README of
mine which contains an img tag with an SVG src:

In Firefox (Windows Nightly 31.0a1 (2014-04-16)) the SVG renders
all-black. In Chrome Canary (Windows 36.0.1942.0) the SVG renders as

GitHub is serving the SVG from a CDN which sends a restrictive CSP header:
Content-Security-Policy: default-src 'none'

Loading the SVG by itself renders all-black in both Firefox and Chrome,
which is expected because it uses inline styles. The GitHub page the img
is embedded in sends a less-restrictive CSP header:
Content-Security-Policy: default-src *; script-src
https://github.global.ssl.fastly.net https://ssl.google-analytics.com
https://collector-cdn.github.com; style-src 'self' 'unsafe-inline'
'unsafe-eval' https://github.global.ssl.fastly.net; object-src

It appears that Chrome is applying the CSP from the top-level page's
response to the SVG document, whereas Firefox is applying the CSP from
the SVG document's response. Which behavior is correct here?

Received on Thursday, 17 April 2014 12:31:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC