Issue #1959 - Don't apply CSPs to explicit data documents and images.

This resolves #1959

1 files changed, 15 insertions, 1 deletions

diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp
index 95827151db..f5df30ffed 100644
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -2504,6 +2504,21 @@ nsDocument::InitCSP(nsIChannel* aChannel)
     return NS_OK;
   }
 
+  // If this is explicitly loaded as a data document, no need to set a CSP.
+  if (mLoadedAsData) {
+    return NS_OK;
+  }
+  
+  // If this is an image, no need to set a CSP.
+  // If we don't do this, SVG images will be parsed as normal XML documents and
+  // subject to served CSPs, which might block internally applied inline styles.
+  // See UXP issue #1959.
+  nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo();
+  if (loadInfo->GetExternalContentPolicyType() ==
+      nsIContentPolicy::TYPE_IMAGE) {
+    return NS_OK;
+  }
+
   nsAutoCString tCspHeaderValue, tCspROHeaderValue;
 
   nsCOMPtr<nsIHttpChannel> httpChannel;
@@ -2532,7 +2547,6 @@ nsDocument::InitCSP(nsIChannel* aChannel)
 
   // Check if this is a signed content to apply default CSP.
   bool applySignedContentCSP = false;
-  nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo();
   if (loadInfo && loadInfo->GetVerifySignedContent()) {
     applySignedContentCSP = true;
   }