Closed Bug 1479406 Opened 6 years ago Closed 6 years ago

CSP script-src hash for link onload not working

Categories

(Core :: DOM: Security, defect)

57 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1343950

People

(Reporter: nrlz, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180704003137 Steps to reproduce: Adding a CSP (Content Security Policy) to allow scripts on the "onload" event on a LINK element doesn't work: <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-FY3+A+krHRDciNAvI9Kc5YT1jK98Oy/j/h5pPndCC6U='"> <link rel="stylesheet" media="bogus" href="newest.css" onload="this.media='all';"> This LINK with bogus media type and dynamically assigning it back to "all" is common to simulate async CSS. But using CSP to allow "this.media='all';" via SHA-256 hash doesn't work. Actual results: Firefox still reports a CSP violation in the console and ignoring that the "script-src 'sha256-xxx'" directive meaning the JS is not executed. Expected results: It should allow that script to execute in the onload.
Hi, I think the Core > Security component is better suited for this issue, but please feel free to change it in case there is a more appropriate component for it.
Component: General → Security
Component: Security → DOM: Security
In CSP-2 script hashes only apply to elements, not event handlers. CSP-3 introduces the 'unsafe-hashed-attributes' keyword which we have not yet implemented. I believe Chrome has implemented this. https://w3c.github.io/webappsec-csp/#unsafe-hashes-usage
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: