Content-Security-Policy (CSP): how to allow svg image in object

Question

I am using the js plugin that adds inside itself SVG images. I have added CSP policy to my website, but I can't configure it to allow plugin's code.

Its code looks like:

label=$("<object style='height:10px; width:10px;' type='image/svg+xml' data='data:image/svg+xml;charset=UTF-8," +
"<svg xmlns=\"http://www.w3.org/2000/svg\">" +
"<rect x=\"0\" y=\"0\" some parameters/>"+
"<text>SomeText</text></svg>'></object>");
el.html(label)

I am looking for a configuration that allows SVG image that is rendered in the object. I am tried different options from there - CSP: object-src.

But I am alway get error like next:

Refused to load plugin data from 'data:image/svg+xml;charset=UTF-8, my svg here' because it violates the following Content Security Policy directive: "object-src 'unsafe-eval'".

How to configure CSP correct in this case?

sideshowbarker · Accepted Answer · 2022-06-29T22:05:13.727

20

That SVG image is provided by a data: URL, so your policy must be updated to allow that.

You don’t show your current policy or where you’re setting it, but assuming you’re setting it with the Content-Security-Policy header and it currently has object-src 'unsafe-eval', then you can allow data: URLs there by updating that part of the policy to look like this:

Content-Security-Policy: object-src data: 'unsafe-eval'

That shows just the relevant part of the current policy in the Content-Security-Policy header. Whatever other directives you currently have in that header value, you’d want to preserve as-is.

edited Jun 29 '22 at 22:05

answered Sep 25 '17 at 21:35

sideshowbarker

81,827
26
193
197

6

It should be noted that this opens the page up for an attack vector for any item on the page using object-src data. If your goal is security you'd be better off using a sha hash of the script trying to be executed rather than opening up this hole. – Chris Feb 21 '18 at 16:20
4

@Chris what's the mechanism to do an SHA hash, to include in the CSS? If the original is `background-image:url("data:image/svg+xml;charset=UTF-8,%3Csvg%20width%3D%2220%22%20height%3D%2220%22%20viewBox%3D%220%200%2020%2020%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%20%20%20%20%3Ccircle%20fill%3D%22none%22%20stroke%3D%22%23e5e5e5%22%20stroke-width%3D%222%22%20cx%3D%2210%22%20cy%3D%2210%22%20r%3D%227%22%20%2F%3E%0A%3C%2Fsvg%3E%0A");`, should I just so an SHA of the text there? – Khom Nazid Mar 09 '19 at 15:02

score 13 · Answer 2 · answered Mar 22 '22 at 10:33

13

I recently came across this same issue and was able to get around it by adding:

Content-Security-Policy: img-src data: w3.org/svg/2000

answered Mar 22 '22 at 10:33

stoicalpirate

250
3
12

great! any reference? do you know if it has good browser support? (eg it doesn't cause issues) – Pere May 03 '22 at 16:49
It's been working fine for me so far, but I know that's not a very scientific answer :-) – stoicalpirate May 05 '22 at 09:39
4

Are you sure this isn't allowing all "data:"? – Pere May 06 '22 at 19:30
2

This is allowing loading images from w3.org/svg/2000 and loading resources via the [data URL scheme](https://en.wikipedia.org/wiki/Data_URI_scheme). – stoicalpirate May 08 '22 at 00:07
2

Agreed with @stoicalpirate, remove the `w3.org/svg/200`. You only need `data:` in the CSP to get it to work. – Joseph Carroll Sep 24 '22 at 20:53
This allows the both all `data:` sources and the `w3.org/svg/2000` source. – Dmitry Feb 05 '23 at 17:52
Where is that code to be added? – derpedy-doo Jun 22 '23 at 11:19

Content-Security-Policy (CSP): how to allow svg image in object

2 Answers2

Linked