Open Bug 1513623 Opened 2 years ago Updated 5 months ago

CSP blocking inline style loses the style attribute value

Categories

(Core :: DOM: Security, defect, P3)

defect

Tracking

()

Tracking Status
firefox66 --- affected

People

(Reporter: bzbarsky, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

Attached file Testcase
Simple testcase is attached; see the console and compare to other browsers.

The code added in bug 763879 was not reviewed by a DOM peer.  That early return drops the attribute value on the floor, setting the value to "".

There is some thought on maybe making that be what it means to block inline style (see discussion in <https://github.com/w3c/webappsec-csp/issues/212>) but I wanted to get this on file in the meantime.
Blocks: csp-w3c-3
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Whiteboard: [domsecurity-backlog2] → [domsecurity-backlog1]
You need to log in before you can comment on or make changes to this bug.