W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [CSP] SVG-in-img implementation difference

From: Mike West <mkwst@google.com>
Date: Wed, 23 Apr 2014 14:32:02 +0200
Message-ID: <CAKXHy=c5_o63KRxhPuPmR1-4mgeR==VGEca2arpGth1knfpbtg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Ted Mielczarek <ted@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
If we want 'img-src' to restrict a page's ability to reference a GIF, then
that restriction should apply regardless of whether the GIF is pulled in
via <img> directly or indirectly.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Wed, Apr 23, 2014 at 2:29 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Apr 23, 2014 at 2:22 PM, Mike West <mkwst@google.com> wrote:
> > This is especially relevant for scripting restrictions; I believe script
> > executes in an SVG document in the same execution context as the document
> > the SVG was included in. Given that, we'd certainly want to ensure that
> the
> > _page's_ 'script-src' directive applied.
>
> Well, SVG-as-image should not execute script to begin with. Part of
> the problem here is that the SVG-as-image concept is not very well
> defined. Given that SVG-as-image resources are already meant to be
> "safe" (no more dangerous than referencing a GIF) I do not see any
> reason why CSP would be applicable to it.
>
>
> --
> http://annevankesteren.nl/
>
Received on Wednesday, 23 April 2014 12:32:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC