Setting style of SVG elements before DOM insertion triggers CSP violation
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: thib.mozillabts-7b30, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0
Steps to reproduce:
In presence of a strict Content Security Policy with no 'unsafe-inline' for the style-src
rule, set individual style properties of an SVG element prior to adding it to the DOM.
(See https://sitedethib.com/unsafe-inline/svg-3.html)
Actual results:
This triggers the following CSP violation and ignore the style properties:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
Expected results:
Firefox should behave like other browsers and like it does for HTML elements, by inserting the SVG element with the correct style properties and without triggering a CSP violation.
Comment 1•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Updated•4 years ago
|
Comment 2•4 years ago
|
||
Thanks for reporting, that seems like a valid Bug to me.
Doing a quick check in the code it seems we are doing the CSP check within nsStyledElement::ParseStyleAttribute whereas we should do that later when actually inserting the element into the DOM.
Blocking the meta Bug 1231788 but have to put this in the backlog for now.
Updated•4 years ago
|
Description
•