'Content Security Policy violation with Bootstrap 5

I have a site using Bootstrap 5 that includes the following input tag:

<input class="form-check-input ms-1" id="validated" name="validated" type="checkbox" checked>

The inclusion of the form-check-input class causes the client to generate the error message:

Refused to load the image 'data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20 20'%3e%3cpath fill='none' stroke='%23fff' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M6 10l3 3l6-6'/%3e%3c/svg%3e' because it violates the following Content Security Policy directive: "img-src 'self' www.w3.org".

Can someone please lend me a clue as to why this is being blocked? I have tried all the permutations of data://www.w3.org, http://www.w3.org, *.w3.org, etc., in the CSP and none seem to satisfy the client.

This happens identically with a Chrome and Edge client.

content-security-policybootstrap-5


Solution 1:[1]

Bootstrap CSS stylesheet contains .form-check-input class with data:-Url images:

.form-check-input:checked[type=checkbox] {
  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20 20'%3e%3cpath fill='none' stroke='%23fff' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M6 10l3 3l6-6'/%3e%3c/svg%3e");
}
.form-check-input:checked[type=radio] {
  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='2' fill='%23fff'/%3e%3c/svg%3e");
}
.form-check-input[type=checkbox]:indeterminate {
  background-color: #0d6efd;
  border-color: #0d6efd;
  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20 20'%3e%3cpath fill='none' stroke='%23fff' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M6 10h8'/%3e%3c/svg%3e");
}

To allow these images you have to add data: scheme-source into img-src directive.

Solution 2:[2]

You can also extract the SVGs into separate files using Webpack. For example, see https://github.com/charlesroelli/bootstrap-webpack-csp-compat-config, specifically the file webpack.config.js:

modules.exports = {
  ...,
  module: {
    rules: [
      {
        mimetype: 'image/svg+xml',
        scheme: 'data',
        type: 'asset/resource',
        generator: {
          filename: 'icons/[hash].svg'
        }
      }
    ]
  }
};

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 granty
Solution 2 Charles

Related Questions

Jenkins Content Security Policy

content-security-policy doesn't work; I want to have my website load in an iFrame on ONE other website only

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

Iframe in Chrome error: Failed to read 'localStorage' from 'Window': Access denied for this document

How do I allow the Geolocation API inside an iframe?

Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback

Why won't my content security policy deploy to CloudFront?

Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”

Why can't Mozilla observatory detect the http security headers on my website anymore?

Angular build generates index.html with <style> tag

How to have Cypress go through every page on site to see if there are any console errors and if so, make it known to the user running the test

Angular application throwing "inline style..." error due to CSP response header configured on server

Chrome Extension: Refused to load the script, because it violates the following Content Security Policy directive: "script-src 'self'"

Unable to use dynamic svg url in github Readme.md

Chrome data-URI; CSP-violation although nonce- and sha256- are set