I'm adding docs for this in FF93, which you can track in https://github.com/mdn/content/issues/8614 From what I can see, and basic testing, this adds a global `onsecuritypolicyviolation` event handler. I **think** this means that you can now add your listener to the window rather than just `document` is that right? So now you can do ``` window.onsecuritypolicyviolation = function(e) { console.log(e); }; // or window.addEventListener("securitypolicyviolation", (e) => { console.log(e); }); ``` Previously you could only observe on document. ``` document.addEventListener("securitypolicyviolation", (e) => { //or use onsecuritypolicyviolation console.log(e); }); ``` Playing around it seems that if there is a violation an element would be null, so presumably you can't add a listener to an element that might violate the security model, because if it does, then it won't exist and the element won't fire? is that about right? Is there any more specialness to be being able to add to window rather than just document?
Bug 1727302 Comment 5 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I'm adding docs for this in FF93, which you can track in https://github.com/mdn/content/issues/8614 From what I can see, and basic testing, this adds a global `onsecuritypolicyviolation` event handler. I **think** this means that you can now add your listener to the window rather than just `document` is that right? So now you can do ``` window.onsecuritypolicyviolation = function(e) { console.log(e); }; // or window.addEventListener("securitypolicyviolation", (e) => { console.log(e); }); ``` Previously you could only observe on document. ``` document.addEventListener("securitypolicyviolation", (e) => { //or use onsecuritypolicyviolation console.log(e); }); ``` Is that about right? Is there any more "specialness" to this? Why would it matter particularly to be able to add to Window rather than document? The spec indicates that the event will be raised on any element and bubble up. Interestingly though, testing seems to show that if there is a violation an element would be null. Presumably this means that even though an event will bubble you can't actually add a listener to the element itself. That's a bit different than for most things, because presumably it means you can't just add listeners to a couple of elements you're particularly worried about. Am I correct in this (you can't successfully handle the event by listening on the element?)
I'm adding docs for this in FF93, which you can track in https://github.com/mdn/content/issues/8614 From what I can see, and basic testing, this adds a global `onsecuritypolicyviolation` event handler. I **think** this means that you can now add your listener to the window or a document or any other element rather than having to use `addEventListener`. Is that right? Is there any more "specialness" to this? EDIT: NOte, this was edited. My original question based on bogus testing.
I'm adding docs for this in FF93, which you can track in https://github.com/mdn/content/issues/8614 From what I can see, and basic testing, this adds a global `onsecuritypolicyviolation` event handler. I **think** this means that you can now add your listener to the window or a document or any other element rather than having to use `addEventListener`. Is that right? Is there any more "specialness" to this? Further, the spec says "The following event handler content attributes may be specified on any HTML element:". However I wrote some test code and found that while the handler is showing up as not `undefined` (using `typeof`) the on... handler or a handler added using `addEventListener` are not called (for `<p>` or `<img>`). Is this expected? Note that on chrome the onsecuritypolicyviolation is undefined for elements like p and img (however it is defined for window/document)
I'm adding docs for this in FF93, which you can track in https://github.com/mdn/content/issues/8614 From what I can see, and basic testing, this adds a global `onsecuritypolicyviolation` event handler. I **think** this means that you can now add your listener to the window or a document or any other element rather than having to use `addEventListener`. Is that right? Is there any more "specialness" to this? Further, the spec says "The following event handler content attributes may be specified on any HTML element:". However I wrote some test code and found that while the handler is showing up as not `undefined` (using `typeof`) the on... handler or a handler added using `addEventListener` are not called (for `<p>` or `<img>`). Is this expected? Note that on chrome the onsecuritypolicyviolation is undefined for elements like p and img (however it is defined for window/document) Further, I'm a little confused that Chrome testing shows it does support `onsecuritypolicyviolation` on window and document (but not elements) but also says that it does not support it on global eventhandlers in https://bugs.chromium.org/p/chromium/issues/detail?id=1242893&q=onsecuritypolicyviolation&can=2 ... perhaps it is adding to the global list that ensures this can be added to any element?
I'm adding docs for this in FF93, which you can track in https://github.com/mdn/content/issues/8614 From what I can see, and basic testing, this adds a global `onsecuritypolicyviolation` event handler. I **think** this means that you can now `onsecuritypolicyviolation` on `window` or `document` or _any other element_. Before this change on Firefox you couldn't use `onsecuritypolicyviolation` at all (though you could use `addEventListener` on document or Window). Is that about right? The spec says "The following event handler content attributes may be specified on any HTML element:". However I wrote some test code and found that a handler added to `<p>` or `<img>` using `onsecuritypolicyviolation` does not seem to be fired - while it is for Document or Window. My test shows that the method is not `undefined` (using `typeof`) so presumably it exists. Perhaps this is because of the nature of the API. If you add the handler before the HTML is loaded (before a violation) presumably the element is null - and so you won't be able to add the handler. If you add a script after HTML has loaded the violation has already occurred, so you won't see the event at all. In other words it feels like even though you can add this to elements, you will never actually see it fired if you do. Does that make sense? Is there any more "specialness" to this?
I'm adding docs for this in FF93, which you can track in https://github.com/mdn/content/issues/8614 From what I can see, and basic testing, this adds a global `onsecuritypolicyviolation` event handler. I **think** this means that you can now use `onsecuritypolicyviolation` on `window` or `document` or _any other element_. Before this change on Firefox you couldn't use `onsecuritypolicyviolation` at all (though you could use `addEventListener` on document or Window). Is that about right? The spec says "The following event handler content attributes may be specified on any HTML element:". However I wrote some test code and found that a handler added to `<p>` or `<img>` using `onsecuritypolicyviolation` does not seem to be fired - while it is for Document or Window. My test shows that the method is not `undefined` (using `typeof`) so presumably it exists. Perhaps this is because of the nature of the API. If you add the handler before the HTML is loaded (before a violation) presumably the element is null - and so you won't be able to add the handler. If you add a script after HTML has loaded the violation has already occurred, so you won't see the event at all. In other words it feels like even though you can add this to elements, you will never actually see it fired if you do. Does that make sense? Is there any more "specialness" to this?