Closed
Bug 1314567
Opened 8 years ago
Closed 5 years ago
CSP violations for <marquee> tags with inline event handlers should report with script samples
Categories
(Core :: Security, defect, P3)
Core
Security
Tracking
()
RESOLVED
INVALID
People
(Reporter: freddy, Unassigned)
References
Details
(Keywords: sec-other)
This is a follow-up of bug 1312272, where I made the <marquee> tag _adhere_ the CSP for inline event handlers in the first place.
The XBL-Script that implements the marquee element knows the event name and the script, but the interface on the document does the blocking & reporting logic. This document interface currently (with bug 1312272 fixed) does not get information about the event handler.
ckerschb said on IRC that it is really, really low priority, so I'm filing this as a follow-up.
(This bug should have the dom-security flag. I lack permissions to set this, so I am throwing this in the generic security bin)
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
Keywords: sec-other
Whiteboard: hidden while bug 1312272 is hidden
|
Reporter | |
Comment 1•7 years ago
|
||
This is mere feature work. It was supposed to be hidden until bug 1312272 was resolved, which has been quite a while.
Group: dom-core-security
Whiteboard: hidden while bug 1312272 is hidden
|
||
Comment 2•7 years ago
|
||
Ideally we could just land telemetry and remove these events, this would prevent any further work here.
Depends on: 1392710
|
|
Reporter | |
Comment 3•5 years ago
|
||
We removed all XBL and the test from bug 1312272 ensured we didn't regress on CSP compliance with marquee elements. Closing.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•