Re: [CSP] SVG-in-img implementation difference from Mike West on 2014-04-23 (public-webappsec@w3.org from April 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 23 Apr 2014 14:22:41 +0200
To: Ted Mielczarek <ted@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=eW86d8LthQ1C3dsNpg62rAbW_Ngj6bOtnqFtd4R5WXVw@mail.gmail.com>

My impression is that images loaded in a protected resource should be
subject to that resource's CSP. In the same way that we apply the page's
CSP to the activities of injected script, and not any policy sent with the
script itself, we should apply the page's policy to SVG documents loaded as
images, and not a policy sent with the document itself.

This is especially relevant for scripting restrictions; I believe script
executes in an SVG document in the same execution context as the document
the SVG was included in. Given that, we'd certainly want to ensure that the
_page's_ 'script-src' directive applied.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Apr 17, 2014 at 2:30 PM, Ted Mielczarek <ted@mozilla.com> wrote:

> I've found a CSP implementation difference between Firefox and Chrome
> regarding the display of SVG-in-img-tag. I'm not intimately familiar
> with the CSP spec and a cursory reading didn't provide any insight as to
> which browser was correct. The difference shows on this github README of
> mine which contains an img tag with an SVG src:
>
> https://github.com/luser/gamepad-data/blob/0febaaa104aea2f58a2497b8fe8dfc4019397116/README.md
>
> In Firefox (Windows Nightly 31.0a1 (2014-04-16)) the SVG renders
> all-black. In Chrome Canary (Windows 36.0.1942.0) the SVG renders as
> expected.
>
> GitHub is serving the SVG from a CDN which sends a restrictive CSP header:
>
> https://camo.githubusercontent.com/5106ad82a5460814243f93e5d0d9f91856ac1226/687474703a2f2f6c757365722e6769746875622e696f2f67616d657061642d646174612f67616d657061642e737667
> Content-Security-Policy: default-src 'none'
>
> Loading the SVG by itself renders all-black in both Firefox and Chrome,
> which is expected because it uses inline styles. The GitHub page the img
> is embedded in sends a less-restrictive CSP header:
> Content-Security-Policy: default-src *; script-src
> https://github.global.ssl.fastly.net https://ssl.google-analytics.com
> https://collector-cdn.github.com; style-src 'self' 'unsafe-inline'
> 'unsafe-eval' https://github.global.ssl.fastly.net; object-src
> https://github.global.ssl.fastly.net
>
> It appears that Chrome is applying the CSP from the top-level page's
> response to the SVG document, whereas Firefox is applying the CSP from
> the SVG document's response. Which behavior is correct here?
>
> -Ted
>
>
>

Received on Wednesday, 23 April 2014 12:23:33 UTC