I want to use an SVG as a backround image for one of my pages. For this, I have to make my CSP img-src rule as img-src 'self' data:
However, this will be an unsafe choice as explained here.
Has anyone faced this issue? If yes, how did you overcome it?
Top comments (10)
Don't use a base64'd version of the image, or anything using the
dataprotocol.You can use an url towards the image instead, which will make it safe.
I had tried with a relative url previously and the request was going for the base64'd version. It works only if I use the full URL. I didn't want to hardcode the URL.
Anyways, thanks!
what was your CSS? you should be using a URL not
data:This doesn't work:
But this does:
I just don't want to hardcode the URL
Try
url('/img/bg.svg'), not sure if that will work though.I don't see the difference between your snippet and mine 😅.
I know my relative URL is right, because without CSP it works fine.
What’s your CSP?
the difference between url('/img/bg.svg') and url("../img/bg.svg") is that the former is an absolute path and will always refer to the same resource the latter is a relative path and the resource it refers to will change depending on the URL of the page that makes the request.
For example if the page making the request is example.com/page/content/index.html then '/img/bg.svg' will look for the SVG at example.com/img/bg.svg whereas '../img/bg.svg' will look for the SVG at example.com/page/img/bg.svg
Thanks for all who helped 🙂.
I have found out the cause of my problem.
I had used vue-cli to build my project and it used a package called 'url-loader' which was inlining images as data urls whenever the size of the image was less than 1000 bytes. That's the reason why my relative URL was getting converted to data url. I have reduced that limit to 1 byte to avoid any conversion.