Open pepelsbey opened 4 days ago
It looks like this is your first issue. Welcome! 👋 One of the project maintainers will be with you as soon as possible. We appreciate your patience. To safeguard the health of the project, please take a moment to read our code of conduct.
FYI, there’s now info on MDN covering this special case in Firefox thanks to @chrisdavidmills
This is especially about this test / recommendation:
But it might affect others as well.
@pepelsbey As discussed, can you please provide a suggestion for the Recommendation text that takes into consideration this limitation? 🙏
FWIW, while I agree with Jonathan's comment that <svg><use>
should not be classified as image loads in Firefox and that it's a huge problem for CSP that there's no clear specification for how they are supposed to be used, I believe that we can fix the compat issue by treating them as images just for the purpose of CSP loads. I will not post more comments about the Firefox issue here and would like point you to follow https://bugzilla.mozilla.org/show_bug.cgi?id=1773976 for further updates.
I noticed that there’s a questionable recommendation we give in the Observatory:
You can only use SVG sprites via external files in Firefox with
default-src 'self'
Once you set
default-src 'none'
, your icons will be blocked in Firefox. And you might not notice that because you don’t test in Firefox. Firefox treats external SVG files not asimage-src
, as other browsers do. Currently, no CSP rule would allow Firefox to load this icon, so Firefox defaults tonone
and blocks it.I’d change this recommendation or link to the explanation of this specific case documented on MDN.