Open Bug 1513623 Opened 5 years ago Updated 2 years ago

CSP blocking inline style loses the style attribute value

Tracking

()

Status:

NEW

Tracking Flags:

Tracking

Status

firefox66

---

affected

People

(Reporter: bzbarsky, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

Testcase 5 years ago Boris Zbarsky [:bzbarsky] 295 bytes, text/html		Details

Boris Zbarsky [:bzbarsky]

Reporter

Description

•

5 years ago

Attached file Testcase — Details

Simple testcase is attached; see the console and compare to other browsers.

The code added in bug 763879 was not reviewed by a DOM peer.  That early return drops the attribute value on the floor, setting the value to "".

There is some thought on maybe making that be what it means to block inline style (see discussion in <https://github.com/w3c/webappsec-csp/issues/212>) but I wanted to get this on file in the meantime.

Daniel Veditz [:dveditz]

Updated

•

5 years ago

Blocks: csp-w3c-3

Priority: -- → P3

Whiteboard: [domsecurity-backlog2]

Daniel Veditz [:dveditz]

Updated

•

5 years ago

See Also: → https://github.com/w3c/webappsec-csp/issues/212

Whiteboard: [domsecurity-backlog2] → [domsecurity-backlog1]

Tom Schuster (MoCo)

Updated

•

2 years ago

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

CSP blocking inline style loses the style attribute value

Categories

(Core :: DOM: Security, defect, P3)

Tracking

()

People

(Reporter: bzbarsky, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type