CSP3: Consider adding a 'resource-src' directive #198
Milestone
Comments
LeSuisse
added a commit
to Enalean/tuleap
that referenced
this issue
Feb 5, 2021
…are not displayed The issue happens for two reasons: * since the v5.0 of file-loader everything is considered to be usable as a ES module by default. This does not work in this situation. * SVG loaded through `<use>` is a bit of grey area in the Content-Security-Policy specification [0][1] and a result it does not work on Firefox when `default-src` is set to none. In order to solve the issue while keeping the overall app not too big, the parts of the SVG have been splitted into individual components and are loaded asynchronously. The opportunity has also been taken to optimize the SVGs with SVGO [2]. [0] w3c/webappsec-csp#199 [1] w3c/webappsec-csp#198 [2] https://github.com/svg/svgo Change-Id: Ia66419a50e73eadaffdd31bf3b1b70a5328592d3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SVG has the concept of resource documents, where an external document can contain things like markers, filters, gradients, etc., and other documents can link, say, the 'marker' CSS property to an anchor in the external document. UAs then load the external document, and draw the external marker as appropriate. Perhaps image-src should cover this case, but we should look at it more closely. At any rate, filing this while I remember.
The text was updated successfully, but these errors were encountered: