CSP frame-src 'self' blocks external SVGs

Fixed Issue #8690562

Details

Author
Shaun W.
Created
Aug 29, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
13.10586
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

The following CSP blocks external SVGs in iframes:

frame-src 'self'

Minimal example reproduced here:
http://shaunstripe.github.io/csp-frame-src-for-svg

Expected: SVG should be visible (which is true for all other browsers)
Actual: SVG is blocked

Code to reproduce here:
RS4BugScrub

Attachments

0 attachments

    Comments and activity

    • This also blocks data URI SVGs from loading as well.

    • Microsoft Edge Team

      Changed Assigned To to “Rick J.”

      Changed Assigned To to “wwatri”

    • We encountered the same issue. Could you please have it fixed. It is a security issue.

    • Microsoft Edge Team

      Changed Assigned To from “wwatri” to “Liang Z.”

      Changed Status to “Confirmed”

      Changed Steps to Reproduce

      Changed Status from “Confirmed” to “Fixed”

    You need to sign in to your Microsoft account to add a comment.

    Sign in