Open
Bug 1412271
Opened 7 years ago
Updated 2 years ago
createElementNS doesn't work with csp nonce
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
NEW
People
(Reporter: v.shmyroff, Unassigned)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
975 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 YaBrowser/17.9.1.768 Yowser/2.5 Safari/537.36 Steps to reproduce: create svg element with namespace document.createElementNS('http://www.w3.org/2000/svg', 'svg') add some style (elem.style.position = 'absolute';) add element to DOM (document.body.appendChild(elem);) Link: http://vsesh.me/nonce_error.html Actual results: The SVG element added without style. There is csp error in the console. Expected results: The SVG element must be added without errors.
Updated•7 years ago
|
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
Comment 1•7 years ago
|
||
Your CSP requires a nonce for both scripts and style. When you create the style element you need to add the nonce attribute to it.
Group: dom-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
I didn't create a style element. I created style attribute. I works this createElement method. And it works in all another browsers. Please, look at the example
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Comment 3•7 years ago
|
||
Note: test document shows this works fine for a normal element, the failure is specifically with an element created in the SVG namespace. Possibly any namespaced element? Will have to test, but SVG for sure.
Updated•7 years ago
|
Whiteboard: [domsecurity-backlog1]
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•