W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: img-src and inline <svg>

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 28 Jul 2014 10:20:41 -0700
Message-ID: <CAEeYn8hNwx+6ueYyUjSHQRk8-w5tGVCd8BxtaN7vvr+Mm5vTqA@mail.gmail.com>
To: Glenn Adams <glenn@skynav.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
It's different from the perspective of Fetch.

But is it logically different from a data: url that is restricted by CSP?

If the goal of setting an img-src directive in CSP is to protect
against injection attacks adding unwanted image content to your page,
isn't inline SVG the perfect bypass of the logical intent of that
policy?

On Sun, Jul 27, 2014 at 7:37 AM, Glenn Adams <glenn@skynav.com> wrote:
>
>
>
> On Sun, Jul 27, 2014 at 7:12 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>
>> On Fri, Jul 25, 2014 at 9:53 PM, Brad Hill <hillbrad@gmail.com> wrote:
>> > Should we require 'unsafe-inline' in img-src to allow inline SVG to be
>> > rendered?
>>
>> No.
>>
>> Inline SVG is no different from HTML. The "3.6 Policy applicability"
>> section is super confusing I think when it comes to how all these
>> things fit together. "Inline" SVG is completely different from <img
>> src=svg> or HTML fetched through XMLHttpRequest.
>
>
> I agree with Anne.
>
>>
>>
>>
>> --
>> http://annevankesteren.nl/
>>
>
Received on Monday, 28 July 2014 17:21:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC