SVG sprites, Firefox, and default-src 'none' recommendation

[pepelsbey]

I noticed that there’s a questionable recommendation we give in the Observatory:

Deny by default, using default-src 'none'

You can only use SVG sprites via external files in Firefox with default-src 'self'

<svg>
  <use href="/images/icons.svg#icon"/>
</svg>

Once you set default-src 'none', your icons will be blocked in Firefox. And you might not notice that because you don’t test in Firefox. Firefox treats external SVG files not as image-src, as other browsers do. Currently, no CSP rule would allow Firefox to load this icon, so Firefox defaults to none and blocks it.

• CSP spec issue
• WONTFIX reply in Bugzilla

I’d change this recommendation or link to the explanation of this specific case documented on MDN.

[github-actions[bot]]

It looks like this is your first issue. Welcome! 👋 One of the project maintainers will be with you as soon as possible. We appreciate your patience. To safeguard the health of the project, please take a moment to read our code of conduct.

[pepelsbey]

FYI, there’s now info on MDN covering this special case in Firefox thanks to @chrisdavidmills

[caugner]

This is especially about this test / recommendation:

But it might affect others as well.

[caugner]

@pepelsbey As discussed, can you please provide a suggestion for the Recommendation text that takes into consideration this limitation? 🙏

[mozfreddyb]

FWIW, while I agree with Jonathan's comment that <svg><use> should not be classified as image loads in Firefox and that it's a huge problem for CSP that there's no clear specification for how they are supposed to be used, I believe that we can fix the compat issue by treating them as images just for the purpose of CSP loads. I will not post more comments about the Firefox issue here and would like point you to follow https://bugzilla.mozilla.org/show_bug.cgi?id=1773976 for further updates.