W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: img-src and inline <svg>

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 28 Jul 2014 19:28:07 +0200
Message-ID: <CADnb78jhBaiEGeZzOpDMBDuAp46n0zbLwcZGN88fqqgt4AeQnA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jul 28, 2014 at 7:20 PM, Brad Hill <hillbrad@gmail.com> wrote:
> But is it logically different from a data: url that is restricted by CSP?

Yes. Very much so.

> If the goal of setting an img-src directive in CSP is to protect
> against injection attacks adding unwanted image content to your page,
> isn't inline SVG the perfect bypass of the logical intent of that
> policy?

Injecting <svg> elements is no different from injecting <div>
elements. img-src is not about not showing images (e.g. it does not
disable <canvas>), it's about restricting where images can be fetched

Received on Monday, 28 July 2014 17:28:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC