Closed Bug 1637954 Opened 4 years ago Closed 4 years ago

Setting style of SVG elements before DOM insertion triggers CSP violation

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
76 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1494356

People

(Reporter: thib.mozillabts-7b30, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

In presence of a strict Content Security Policy with no 'unsafe-inline' for the style-src rule, set individual style properties of an SVG element prior to adding it to the DOM.

(See https://sitedethib.com/unsafe-inline/svg-3.html)

Actual results:

This triggers the following CSP violation and ignore the style properties:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).

Expected results:

Firefox should behave like other browsers and like it does for HTML elements, by inserting the SVG element with the correct style properties and without triggering a CSP violation.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Flags: needinfo?(ckerschb)

Thanks for reporting, that seems like a valid Bug to me.

Doing a quick check in the code it seems we are doing the CSP check within nsStyledElement::ParseStyleAttribute whereas we should do that later when actually inserting the element into the DOM.

Blocking the meta Bug 1231788 but have to put this in the backlog for now.

Blocks: csp-w3c-3
Severity: -- → S3
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.