This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
Inlining svgs in css avoids the multiple HTTP connections needed to fetch the multiple files, but http/2 makes this much less beneficial because the same connection is reused for fetching multiple assets.
This PR moves all inlined CSS background-image and mask SVG into SVG files and references those files in the CSS. This avoids the need to modify the CSP.
Allowing the
data:
schema for sources in the CSP is inherently unsafe. CSP doesn't have an easy way to allow some uses ofdata:
.From MDN:
Inlining svgs in css avoids the multiple HTTP connections needed to fetch the multiple files, but http/2 makes this much less beneficial because the same connection is reused for fetching multiple assets.
This PR moves all inlined CSS background-image and mask SVG into SVG files and references those files in the CSS. This avoids the need to modify the CSP.