add content security policy header to SVG responses #10642
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR does not resolve an open security issue. However, it does proactively add another layer of protection on top of what we already do to prevent cross-site scripting issue.
SVGs can contain javascript.
When they're embedded with an
<img>
tag, SVGs are rendered in secure static mode which disables any embedded javascript, along with some other restrictions.When they're embedded with a
<object>
tag or loaded directly, this is not the case.While we take steps to prevent XSS issues, we have on at least one occasion discovered an escaping issue, which made it possible for someone to inject script into a badge image. Reference: #3511
In general, I think our escaping game is pretty solid these days.
That said, it is not impossible that someone might find a way around the mechanisms we have in place or we might introduce an escaping bug in some future refactor.
For this reason, I suggest we serve our SVG images with the
Content-Security-Policy: script-src 'none';
header. This is a content security policy header that basically says "no javascript allowed on this response" and offers a strong browser-level protection. This header is respected when the image is loaded directly, but also crucially when embedded with an<object>
tag. Essentially, this would mean that even if someone found a way to sneak a<script>
tag into a SVG response served from shields.io, any modern browser would refuse to run that script.