Closed Bug 1555629 Opened 6 years ago Closed 6 years ago

CSP error event do not trigger inside html blob with illegal url in style

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
67 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1555630

People

(Reporter: paki37094, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

  1. Create a blob with CSP rule isnide like this one : default-src 'unsafe-inline'
  2. Create an iframe and put this blob as src
  3. in the blob use css to put a any rule with a relative url (that should be blocked by the CSP)

Additional comment:
I joined an archive to show the problem.
When you open testblob2.html it will create a blob from testblob3.html and trigger only one error instead of two.
When you directly open testblob3.html you can see that there is two errors like it should.

I'm not sure what should be the normal behavior, when you are inside a blob a relative url like /image/image.png should trigger an error no matter what CSP is used (or no CSP at all). but as you can see i put also the event for the normal errors ("error" event) and it's not triggered either.

I also noticed than when those CSS rules with forbidden/invalid relative url (without http://domain.com) are in CSS file called by the blob it doesn't trigger any event either

Actual results:

do not trigger error or securitypolicyviolation event

Expected results:

trigger one of those 2 event

Component: Untriaged → DOM: Security
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.