17Eyl
CSP, inline SVG, and XML attributes
I recently added some inline SVG images to my website, and the browsers complained about the style attributes within the SVG code not being covered by my strict CSP (style-src: self). Instead of adding unsafe-inline to the CSP or moving all styles to an external CSS (as proposed here), I followed this advice and converted the CSS style attribute to XML attributes (using scour), which worked well. Does this workaround create new attack vectors? The SVG images are static and hosted locally.
