Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Content Security Policy - data:image/svg+xml is ignored in img-src

Tags:

content-security-policy

My CSP header looks like this (actually, it's only the part relevent to loading images), which should be valid. But Chrome complains that "The source list for Content Security Policy directive 'img-src' contains an invalid source: 'data:image/svg+xml'. It will be ignored."

img-src data:image/svg+xml 'self' https://stats.g.doubleclick.net/r/collect https://www.facebook.com/tr/ https://www.google-analytics.com/r/collect data:image/svg+xml;

It should be valid, I've found it in examples around the web, yet it does not work. For example it is suggested here https://security.stackexchange.com/questions/94993/is-including-the-data-scheme-in-your-content-security-policy-safe/95011#95011

Please provide valid and working example, I am lost in this maze.

like image 647
David Votrubec Avatar asked Aug 10 '18 13:08

David Votrubec

People also ask

What is blocked CSP?

What does blocked:csp mean? You may be seeing blocked:csp in Chrome developer tools when the browser is trying to load a resource. It might show up in the status column as (blocked:csp) CSP stands for Content Security Policy, and it is a browser security mechanism.

What is connect SRC?

The HTTP Content-Security-Policy (CSP) connect-src directive restricts the URLs which can be loaded using script interfaces.

What does content security policy do?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

What is content security policy header?

What is Content-Security-Policy? Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.

1 Answers

Your example CSP is invalid. According to MDN Documentation you should use only hosts, schemas or other constant values. After correction, you example should look like:

img-src 'self' https://stats.g.doubleclick.net/ https://www.facebook.com/ https://www.google-analytics.com/ data:;

like image 121
Aleš Roubíček Avatar answered Oct 28 '22 07:10

Aleš Roubíček
Sign in to Comment

Related questions

Content security policy in React app didn't block online script
Facebook Javascript SDK and CSP
WordPress + Disqus + refused executing inline script
How to use nonce in IIS for content security policy?
Secure way of inserting dynamic values in external JavaScript files
For which Content-Types should I set security related HTTP response headers?
Why does my Content Security Policy work everywhere but Safari
Is multiline meta content value allowed?
Does Content Security Policy's connect-src directive allow you to make cross domain requests?
Webpack dev server React Content Security Policy error
Chrome 63 seems to ignore or break on worker-src CSP headers
What is the maximally permissive Content-Security-Policy?
Content-Security-Policy error in google chrome extension making
Content Security Policy directive: "script-src 'none' Violation Error
Is there anyway to use JSON-LD Schema not inlined
How do I allow `javascript:void(0)` for use in HTML element attributes through Content-Security-Policy?
Content-Security-Policy (CSP): how to allow svg image in object
Whitelisting inline script with csp sha-256 in firefox

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!