Closed
Bug 1479406
Opened 6 years ago
Closed 6 years ago
CSP script-src hash for link onload not working
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1343950
People
(Reporter: nrlz, Unassigned)
Details
Attachments
(1 file)
327 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180704003137
Steps to reproduce:
Adding a CSP (Content Security Policy) to allow scripts on the "onload" event on a LINK element doesn't work:
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-FY3+A+krHRDciNAvI9Kc5YT1jK98Oy/j/h5pPndCC6U='">
<link rel="stylesheet" media="bogus" href="newest.css" onload="this.media='all';">
This LINK with bogus media type and dynamically assigning it back to "all" is common to simulate async CSS.
But using CSP to allow "this.media='all';" via SHA-256 hash doesn't work.
Actual results:
Firefox still reports a CSP violation in the console and ignoring that the "script-src 'sha256-xxx'" directive meaning the JS is not executed.
Expected results:
It should allow that script to execute in the onload.
Comment 1•6 years ago
|
||
Hi, I think the Core > Security component is better suited for this issue, but please feel free to change it in case there is a more appropriate component for it.
Component: General → Security
Updated•6 years ago
|
Component: Security → DOM: Security
Comment 2•6 years ago
|
||
In CSP-2 script hashes only apply to elements, not event handlers. CSP-3 introduces the 'unsafe-hashed-attributes' keyword which we have not yet implemented. I believe Chrome has implemented this.
https://w3c.github.io/webappsec-csp/#unsafe-hashes-usage
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•