New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 782380 link

Starred by 2 users
Status: Assigned
Owner:
mkwst@chromium.org
Buried. Ping if important.
Cc:
andypaicu@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Desktop Chrome is less strict about CSP than mobile

Reported by lmannin...@gmail.com, Nov 7 2017 
I recently delved into the wonderful world of securing websites. I'm using letsencrypt to generate my certificates and also adding some headers in my nginx config. The issue I've noticed has to do with inline SVGs, or more specifically, images defined in CSS with a "data" scheme.

background-image: url("data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' xmlns:xlink…%23f7f7f7' /><rect y='40' width='50' height='10' fill='%23f7f7f7' /></svg>");



With no CSP set, this loads completely fine. When I have CSP set to the following, it loads fine in desktop Chrome but fails to load in mobile Chrome and mobile Firefox:

add_header Content-Security-Policy "default-src https:";



I have to switch my policy to the following for it to work universally:

add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:";



So I am wondering if there is a reason for the discrepancy between desktop browsers and mobile browsers when dealing with CSP? I would expect that the policy would be adhered to on all browsers, not ignored or only loosely adhered to by some.

Comment 1 by dtapu...@chromium.org, Nov 8 2017

Components: Blink>SecurityFeature

Comment 2 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 3 by jochen@chromium.org, Nov 10 2017

Cc: mkwst@chromium.org
Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy
Owner: andypaicu@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 4 by mkwst@chromium.org, Jan 22 2018

Cc: -mkwst@chromium.org andypaicu@chromium.org
Owner: mkwst@chromium.org
Apologies for the slow response: Are you, per chance, on iOS? If so, that would explain the distinction: Chrome on iOS's support for CSP is limited by our use of WebKit on that platform. Firefox's behavior would be equally affected.

Comment 5 by lmannin...@gmail.com, Jan 22 2018 

I was having this issue on Android.

Comment 6 by mkwst@chromium.org, Jan 22 2018 

Interesting. `default-src https:` should block `data:` on both desktop and mobile, while `default-src https:; img-src 'self' data:` should allow on both. Indeed, we don't distinguish between platforms in Blink; it's all the same code.

Is there a page we could poke at? A quick demo at https://output.jsbin.com/foxufem shows the same behavior on both Linux desktop (63.0.3239.132) and Android (65.0.3325.0).

Comment 7 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment