Open
Bug 1412271
Opened 7 years ago
Updated 2 years ago
createElementNS doesn't work with csp nonce
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
NEW
People
(Reporter: v.shmyroff, Unassigned)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
|
975 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 YaBrowser/17.9.1.768 Yowser/2.5 Safari/537.36
Steps to reproduce:
create svg element with namespace document.createElementNS('http://www.w3.org/2000/svg', 'svg')
add some style (elem.style.position = 'absolute';)
add element to DOM (document.body.appendChild(elem);)
Link: http://vsesh.me/nonce_error.html
Actual results:
The SVG element added without style.
There is csp error in the console.
Expected results:
The SVG element must be added without errors.
|
||
Updated•7 years ago
|
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
|
||
Comment 1•7 years ago
|
||
Your CSP requires a nonce for both scripts and style. When you create the style element you need to add the nonce attribute to it.
Group: dom-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
I didn't create a style element. I created style attribute. I works this createElement method. And it works in all another browsers. Please, look at the example
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
|
|
||
Comment 3•7 years ago
|
||
Note: test document shows this works fine for a normal element, the failure is specifically with an element created in the SVG namespace. Possibly any namespaced element? Will have to test, but SVG for sure.
|
|
||
Updated•7 years ago
|
Whiteboard: [domsecurity-backlog1]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•