Open
Bug 1449246
Opened 6 years ago
Updated 2 years ago
CSP shows error about attribute removed through sanitizer before actually appending to DOM
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox61 | --- | affected |
People
(Reporter: Gijs, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog3])
STR:
0. disable e10s for ease of debugging
1. open about:reader
2. open browser console
3. run:
parserUtils = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils); parserUtils.parseFragment("<div onclick='alert(`hi`)'></div>",
Ci.nsIParserUtils.SanitizerDropForms | Ci.nsIParserUtils.SanitizerAllowStyle,
false, null, content.document.body);
ER:
you get a div with no attributes and no CSP errors
AR:
you get a div with no attributes AND you get a CSP error.
|
Reporter | |
Comment 1•6 years ago
|
||
(In reply to :Gijs from comment #0) > STR: > > 0. disable e10s for ease of debugging > 1. open about:reader Err, this requires opening an article (e.g. http://www.bbc.co.uk/news/science-environment-43518365 ) and then entering reader mode. Apologies for the confusion.
|
||
Updated•6 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog3]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•