User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0

Steps to reproduce:

Using XAMPP a php file containing the following was loaded:

// Headers
header("Content-Security-Policy-Report-Only: report-uri php/report.php; default-src 'none'; child-src 'none'; connect-src 'none'; font-src 'none'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'none'; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'; style-src 'none'; style-src-elem 'none'; style-src-attr 'none'; worker-src 'none'");
// Getting the head.
echo '<!DOCTYPE html><html lang=nl><head><meta charset=UTF-8><meta name=robots content=none,noindex,><title>test</title></head>';
// Getting the content.
echo '<body><svg><use xlink:href="./assets/star.svg#svg-star"></use></svg></body>';```


Actual results:

The page was loaded and a CSP report generated.
Report:
```{"csp-report":{"blocked-uri":"https://localhost/CatWeb/assets/star.svg","document-uri":"https://localhost/CatWeb/testpage.php","original-policy":"report-uri https://localhost/CatWeb/php/report.php; default-src 'none'; child-src 'none'; connect-src 'none'; font-src 'none'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; worker-src 'none'","referrer":"","violated-directive":"default-src"}}```


Expected results:

A different violated directive should've been specified instead of the fallback directive.

In hindsight this could also happen if I missed a fetch directive.
I used all the fetch directives listed here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

I suspect this should have been frame-src or child-src instead, but maybe we haven't tagged SVG <use> loads as the correct type. (Freddy thinks it might just be a reporting issue)

It seems like Chrome uses image-src for <use>. We might want to ask on GitHub what the preferred directive is. Internally the load is currently tagged as nsIContentPolicy::TYPE_OTHER. It looks like we also end up in this method for other kinds of SVG loads, but the name of the method is very generic so maybe this is also used for something else.

Anything tagged TYPE_OTHER will definitely only be blocked by default-src. Unless it's something internal it's either a mistake or a sign that something hasn't been specified yet. See the note at
https://searchfox.org/mozilla-central/rev/196b6aa0427f38058fd43ac90ee94fcf2f436fb6/dom/base/nsIContentPolicy.idl#34-38

The CSP directive that should govern <use> is not standardized in the big table in the Fetch spec (which is self-proclaimed to be incomplete), nor does the DOM spec specify this. There are arguments in issues in both the CSP and SVG repos; I've added CSP issue #199 to the See Also above. As JWatt notes in bug 1303364 comment 4 the <use> feature doesn't act like an image or a frame so it's really unclear either of those are appropriate choices.

This is really a dupe of bug 1303364, but that was marked INVALID. It is a real problem that this is not specified and that as a result Chrome and Firefox behavior differs. It may not valid as a "Firefox bug", but it does represent something that needs to be resolved and then ultimately updated in Firefox.

There's a whole lot of TYPE_OTHER
https://searchfox.org/mozilla-central/search?q=%5B%5E_%5DTYPE_OTHER&path=&case=true&regexp=true

Just commenting here for additional visibility. We are aware that this bug prevents people from enforcing a CSP that starts with a very strict default-src and makes users of Firefox and/or the MDN HTTP Observatory unhappy.

While this is technically a bug in the specification that ought to be resolved more broadly, we will take a look what we can do in the meantime to fix the immediate compat problems.

This is maybe not the best name, because we also use this for e.g. SVGs
used as CSS paths.

We want to give a new nsContentPolicyType to SVG <use> requests, so we
need to tag them correctly at the source.

To be honest, I don't quite know what SVGObserverUtils.cpp is actually
doing.

SVGObserverUtils looks for changes to the DOM or any other changes e.g. it makes sure that an element has references to another element and those references change then the element updates more concretely it's making this sort of thing work...

<circle id="bar" cx="5" cy="5" r="4" stroke="blue" />
<use href="#myCircle"/>

document.getElementById("bar").setAttribute("id", "myCircle");

Thank you Robert. If I am understanding this example correct, this just seems like a sort of implicit <use> load as well. On the patch Emilio mentioned that we also use it for SVG filters.

After this lands, https://github.com/mdn/content/pull/34592 should probably be mostly reverted.

https://hg.mozilla.org/mozilla-central/rev/04bbd28955f8
https://hg.mozilla.org/mozilla-central/rev/57561bb6a5d2
https://hg.mozilla.org/mozilla-central/rev/f4a754ad50ce