Closed
Bug 1683972
Opened 4 years ago
Closed 4 years ago
CSP default-src: 'none' should allow SVG SMIL animation
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1459872
| Tracking | Status | |
|---|---|---|
| firefox86 | --- | affected |
People
(Reporter: me, Unassigned)
Details
Serving a SVG image as content-type image/svg+xml with
Content-Security-Policy: default-src 'none';
will prevent SMIL animations from working in Firefox but they do work in Blink with the same CSP. One can work around by setting
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline';
which is also what GitHub uses for their raw SVGs, but I think it's overzealous to identify SMIL as an unsafe inline style, it should not be classified as such.
Related discussion around this in https://bugzilla.mozilla.org/show_bug.cgi?id=763879
Example image: https://raw.githubusercontent.com/StylishThemes/GitHub-Dark/master/images/octocat-spinner-smil.svg
|
Reporter | |
Comment 1•4 years ago
|
||
Might be a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1459872, meaning it may only affects certain animated attributes which are seen as "insecure". Will try to confirm later.
|
|
Reporter | |
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•