Re: img-src and inline <svg>

It's different from the perspective of Fetch.

But is it logically different from a data: url that is restricted by CSP?

If the goal of setting an img-src directive in CSP is to protect
against injection attacks adding unwanted image content to your page,
isn't inline SVG the perfect bypass of the logical intent of that
policy?

On Sun, Jul 27, 2014 at 7:37 AM, Glenn Adams <glenn@skynav.com> wrote:
>
>
>
> On Sun, Jul 27, 2014 at 7:12 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>
>> On Fri, Jul 25, 2014 at 9:53 PM, Brad Hill <hillbrad@gmail.com> wrote:
>> > Should we require 'unsafe-inline' in img-src to allow inline SVG to be
>> > rendered?
>>
>> No.
>>
>> Inline SVG is no different from HTML. The "3.6 Policy applicability"
>> section is super confusing I think when it comes to how all these
>> things fit together. "Inline" SVG is completely different from <img
>> src=svg> or HTML fetched through XMLHttpRequest.
>
>
> I agree with Anne.
>
>>
>>
>>
>> --
>> http://annevankesteren.nl/
>>
>

Received on Monday, 28 July 2014 17:21:14 UTC