Овај сајт ће имати ограничену функционалност док га будемо ажурирали у циљу побољшања вашег искуства. Ако неки чланак не реши ваш проблем и желите да поставите питање, на располагању ће вам бити наше заједнице подршке @FirefoxSupport на Twitter-у и /r/firefox на Reddit-у.

Претражи подршку

Избегните преваре подршке. Никада од вас нећемо тражити да зовете или шаљете поруке на број или да делите личне податке. Пријавите сумњиве радње преко „Пријавите злоупотребу” опције.

Сазнај више

won't display svg's using csp and default-src 'none'

  • 4 одговорa
  • 1 има овај проблем
  • 1 преглед
  • Последњи одговор послао thujal

more options

SVG's will not display in Firefox/mac since we've implemented a CSP that starts with default-src 'none'

We have published a proof of concept of this problem:

https://go-web.goodyear.portal.mccannbristol.co.uk/

The same website works fine in Firefox/Windows, and all other browsers. No amount of tweaking of the CSP header seems to allow SVG's to show, except if we remove the default-src 'none' directive. Full header is:

Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com; connect-src 'self'; frame-src 'self' https://*.youtube.com https://*.youtube-nocookie.com https://*.doubleclick.net; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' https://www.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self'"

SVG's will not display in Firefox/mac since we've implemented a CSP that starts with default-src 'none' We have published a proof of concept of this problem: https://go-web.goodyear.portal.mccannbristol.co.uk/ The same website works fine in Firefox/Windows, and all other browsers. No amount of tweaking of the CSP header seems to allow SVG's to show, except if we remove the default-src 'none' directive. Full header is: Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com; connect-src 'self'; frame-src 'self' https://*.youtube.com https://*.youtube-nocookie.com https://*.doubleclick.net; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' https://www.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self'"

Сви одговори (4)

more options

thujal said

The same website works fine in Firefox/Windows

Not for me, I get this in the Web Console on Firefox 48.0.2/Windows:

Content Security Policy: The page's settings blocked the loading of a resource at https://go-web.goodyear.portal.mccannbristol.co.uk/a/svg/global.svg ("default-src 'none'").

(I get a bouncing span with no image in it in the Inspector.)

This implies that a more specific policy applicable to the image in the SVG element was not found. But... extensive searching has not turned up an explanation of what <svg><img></svg> <svg><use href="uri"></svg> requires.

In your CSP, this is the only other 'none', did you try:

object-src 'self';

Измењено од стране jscher2000 - Support Volunteer

more options

Yes, we have tried object-src. In fact, we've kept adding the different src elements in a bid to make this work, but it does not. For example:

Header always set Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com; connect-src 'self'; frame-src 'self' https://*.youtube.com https://*.youtube-nocookie.com https://*.doubleclick.net; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://www.google-analytics.com https://stats.g.doubleclick.net; object-src 'self'; font-src 'self'; media-src 'self'; child-src 'self'; plugin-types 'image/svg+xml'; frame-ancestors 'self'"

Does not work.

However, setting a default-src of self does indeed work:

Header always set Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google-analytics.com; connect-src 'self'; frame-src 'self' https://*.youtube.com https://*.youtube-nocookie.com https://*.doubleclick.net; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://www.google-analytics.com https://stats.g.doubleclick.net;"

Checking [https://content-security-policy.com|h.../content-security-policy.com] and other documentation, it doesn't look like there are any more headers for us to try to bring these SVG's in, so I simply see no way to have SVGs work in FF on a site with Content-Security-Policy "default-src 'none'... Which can't be the case, can it? I must be missing something really obvious!

Oh, and apologies, it also does not work in FF / win, this was an error our on testers part!

more options

I had trouble figuring out which part of the source code applies different content policies to different content types. If you or someone with you can search it out, that might shed light on how svg is evaluated.

https://dxr.mozilla.org/mozilla-release/source/

Alternately, you could submit a new bug:

https://bugzilla.mozilla.org/enter_bug.cgi