-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Display SVG files as images instead of text #14101
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for this PR, and especially thank you for including tests & documentation :)
This is not an exhaustive review, just a few preliminary comments.
I have to say I like the "Raw" button on GitHub for SVG. It just opens the SVG with the mime type |
Without adding If someone understands this issue better and can explain why adding |
Good read on SVG security: https://www.w3.org/wiki/SVG_Security You're right, |
That's why we use |
Few minor UI things:
I think ultimately we'll need a switchable view with source and rendered but I guess rendered only will work as a start. CI failure seems unrelated, maybe you can rebase/push once more to get it restarted. |
Regarding raw: How about just showing the source in I also noticed SMIL animations (example) do not play in Firefox (they do in Chrome) when right clicking and |
Agree with |
If we did that, then embedding SVG images in markdown wouldn't work. Assuming the embedding uses the same raw URL, the server cannot distinguish between the two cases.
|
Yes they play in GitHub but not in Gitea because of the missing
I think it's unavoidable we add a JS-switchable view for rendered/source mode. Do you think you can implement something like that here? |
Yes, I can add a way in the UI to toggle between text source and image. Should I add |
To clarify, it's not clear to me that we can just do what GitHub does in terms of the CSP because GitHub has additional security measures like serving content from a different domain. Presumably, serving from another domain is a much larger change that is out of scope for this pull request. But I could be wrong. |
It's the only way to get SMIL to work in Firefox and I think it's an essential part of SVG. I don't see anything wrong allowing inline styles. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1683972 because I believe classifying SMIL as inline style is wrong in Firefox. |
cf474b6
to
96b0fa8
Compare
I agree, JS toggle can come later. |
@silverwind @techknowlogick @zeripath If you have a chance can you take a look through this PR? Should be all set & a big improvement to how gitea handles svgs. Most of the files in the diff are for integration test. |
@@ -46,6 +46,11 @@ func ServeData(ctx *context.Context, name string, reader io.Reader) error { | |||
} else if base.IsImageFile(buf) || base.IsPDFFile(buf) { | |||
ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name)) | |||
ctx.Resp.Header().Set("Access-Control-Expose-Headers", "Content-Disposition") | |||
if base.IsSVGImageFile(buf) { | |||
ctx.Resp.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is unsafe-inline
necessary here? ref. https://content-security-policy.com/unsafe-inline/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without it, many SVG images look nothing like they're intended to look. Many SVG attributes have a style alternative.
That said, I originally omitted it, but I was asked to add it in another comment in this PR. As long as it's safe, I think that including it is a good thing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see my ref article, It said
When you want to allow inline scripts or styles on a page that uses CSP, there two much better options: nonce or hash.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I read the article. I'm having trouble understanding how nonce or hash is actually better. If I understand it correctly, a hash prevents modification between the server and client, which is not more than what HTTPS would do. So this is to make the HTTP case safer.
If you think that's what we should do, it's not clear to me how to actually implement it. It seems like we would need to parse the SVG file enough to either insert nonces at the appropriate places in the SVG or read all the inline styles so that we can compute their hashes. Is this what you're saying? I'm guessing this must include all the style="..."
attributes. There could potentially be many of them. I'll think about it some more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lunny The suggestion from the ref article is not applicable in this case, as the CSP is applied when rendering user-generated content (the SVG file). The general purpose of using nonce is so that website can include inline script in non-user controlled HTML content while at the same time benefiting from CSP blocking possible XSS attacks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nonce of CSP requires a change to the svg content dynamiclly which will make the thing complicated.
@lunny Is the "View Raw" case really commonly used? In my opinion we should take the most conservative/secure option for view raw or disable it for SVG and keep the size of this PR reasonable.
|
* master: (252 commits) Issues overview should not show issues from archived repos (go-gitea#13220) Display SVG files as images instead of text (go-gitea#14101) [skip ci] Updated translations via Crowdin Update docs to clarify issues raised in go-gitea#14272 (go-gitea#14318) [skip ci] Updated translations via Crowdin [Refactor] Passwort Hash/Set (go-gitea#14282) Add option to change username to the admin panel (go-gitea#14229) fix mailIssueCommentBatch for pull request (go-gitea#14252) Remove self from MAINTAINERS (go-gitea#14286) Do not reload page after adding comments in Pull Request reviews (go-gitea#13877) Fix session bug when introduce chi (go-gitea#14287) [skip ci] Updated translations via Crowdin Add secure/httpOnly attributes to the lang cookie (go-gitea#9690) (go-gitea#14279) Some code improvements (go-gitea#14266) [skip ci] Updated translations via Crowdin Fix wrong type on hooktask to convert typ from char(16) to varchar(16) (go-gitea#14148) Upgrade XORM links in documentation. (go-gitea#14265) Check permission for the appropriate unit type (go-gitea#14261) Add compliance check for windows to ensure cross platform build (go-gitea#14260) [skip ci] Updated translations via Crowdin ...
hi. saw that this was merged but it was not yet released right? Tried to configure Gitea ui.svg ENABLE_RENDER = true in app.ini but i guess thats another setting, not related to this? Looking forward to directly display SVG files in preview instead of plaintext.
|
I believe it is queued for release in version |
This is an attempt to close #1095. It makes the following changes:
Content-Type: image/svg+xml
instead oftext/plain
,text/html
, ortext/xml
. This allows users to view an SVG as an image when browsing a repo's tree and when it's embedded in a markdown file.Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
andX-Content-Type-Options: nosniff
. This prevents the execution of scripts in untrusted SVG files.Hides the "raw" button when viewing SVG files since unsafe styles aren't displayed, and viewing the image without styles may be confusing. Users can always right-click on the image to view or save it.I tested this with https://github.com/edgar-bonet/test-svg-mime in Firefox and Chrome.