Can I safely include the img src data scheme in the content security policy?

744    Asked by AnishaDalal in Cyber Security , Asked on Feb 7, 2022

 I have a Cordova app that transforms some images to base64. This violates CSP with this message:


Refused to load the image 'data:image/svg+xml;charset=US-ASCII,<?xml version="1.0" encod…E' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.


According to this answer, I can simply add data: to my Content-Security-Policy meta, but I would very much like to know, if this is safe? data: does not specify origin and therefore I fear it's unsafe.

Answered by Andrea Bailey

The note on whitelisting the img src data protocol which is referenced says

data: Allows data: URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts. This is not in a part specific to the risks of data URIs in images, and I have not seen any substantive evidence that data URIs in images can execute code in a modern browser in any respect, never mind XSS a page. In certain contexts, an SVG image can execute Javascript code, but these are either child contexts such as