Closed Bug 1609122 Opened 6 years ago Closed 6 years ago

Empty style element blocked by CSP with hash source

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
72 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1544705

People

(Reporter: spand, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

I have trouble whitelisting an empty style element with a hash source. This is in Firefox 72. The hash is taken from Chrome in which the example does not trigger a csp alert.

It may be related to https://bugzilla.mozilla.org/show_bug.cgi?id=1544705 but there is some talk of extensions which may be why it has not been prioritized yet. This is not an edge case in my mind.

Enter the following in the addressbar:

data:text/html;charset=utf-8,
<meta http-equiv="Content-Security-Policy" content="style-src 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=';">
<script>
var s = document.head.appendChild(document.createElement("style"));
s.disabled = true;
alert(s.disabled);
</script>

Actual results:

False is alerted and following is printed to the console
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).

Expected results:

True output and style element not blocked.

I would suggest this is a duplicate of Bug 1544705 but perhaps the assessment of the triage was too low. I'll mark the other for re-review and close this. Thanks for bringing it to our attention.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE

I experiment difficulties also with a similar situation, the hash being the same.
I'll explain more on the other issue, Bug 1544705 then.

You need to log in before you can comment on or make changes to this bug.