Using Content Security Policy to prevent XSS with HTML object/data tag

24 Views Asked by Jonathan Phillips At 25 March 2024 at 14:35

In my example I am trying to allow the image to load but prevent the javascript payload contained in logo.svg

    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <meta http-equiv="Content-Security-Policy" content="script-src 'none';"/>
        <title>SVG XSS Demo</title>
    </head>
    <body>
    <h1>SVG XSS example</h1>
    <object data="https://d33wubrfki0l68.cloudfront.net/1b8d4f82d6234596c249121ca6d78a19f68255a9/1ff0e/blog/svg-xss-injection-attacks/logo.svg" width="300" height="300"></object>
    </body>
    </html>

The CSP directive in the example prevents inline javascript, but not the javascript contained in the SVG.

I can prevent the SVG image displaying at all with an object-src CSP policy but I want the image to display.

I can put the image in an src tag rather than an object tag and it displays safely.

Original Q&A

Using Content Security Policy to prevent XSS with HTML object/data tag

There are 0 best solutions below

Related Questions in XSS

Related Questions in CONTENT-SECURITY-POLICY

Trending Questions

Popular # Hahtags

Popular Questions