Open
Bug 1449246
Opened 6 years ago
Updated 2 years ago
CSP shows error about attribute removed through sanitizer before actually appending to DOM
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox61 | --- | affected |
People
(Reporter: Gijs, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog3])
STR: 0. disable e10s for ease of debugging 1. open about:reader 2. open browser console 3. run: parserUtils = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils); parserUtils.parseFragment("<div onclick='alert(`hi`)'></div>", Ci.nsIParserUtils.SanitizerDropForms | Ci.nsIParserUtils.SanitizerAllowStyle, false, null, content.document.body); ER: you get a div with no attributes and no CSP errors AR: you get a div with no attributes AND you get a CSP error.
Reporter | ||
Comment 1•6 years ago
|
||
(In reply to :Gijs from comment #0) > STR: > > 0. disable e10s for ease of debugging > 1. open about:reader Err, this requires opening an article (e.g. http://www.bbc.co.uk/news/science-environment-43518365 ) and then entering reader mode. Apologies for the confusion.
Updated•6 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog3]
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•