CSP-blocked images have `display: none !important` UA style
Categories
(Core :: Layout: Images, Video, and HTML Frames, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox82 | --- | fixed |
People
(Reporter: zcorpan, Assigned: emilio)
References
Details
Attachments
(1 file)
See demo: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/8459
<!DOCTYPE html>
<meta http-equiv=content-security-policy content="img-src 'none'">
<style>img { border: solid; }</style>
It should say PASS below:<br>
<img src=image alt="PASS">
The image is not rendered. Per devtools, it matches :-moz-suppressed UA style in html.css, which sets display: none !important.
Nothing in the HTML spec says to do this. Chromium and WebKit don't hide the image.
|
Reporter | |
Updated•4 years ago
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 1•4 years ago
|
||
Per spec we shouldn't behave differently depending on how we blocked the
image/object/etc.
This may have made sense in the past when ad blockers were implemented
via nsIContentPolicy, but I think nowadays it doesn't make sense, and
showing fallback is preferred.
There's a couple extra cleanups we can do after this lands, like
removing HTMLImageElement.imageBlockingStatus and simplifying a bit that
code. But I'll do that in a separate bug.
|
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 4•4 years ago
|
||
Backed out changeset 64eb902728bc (Bug 1664156) for causing mochitest failures in test_meta_csp_self.html CLOSED TREE
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=315540807&repo=autoland&lineNumber=4251
Backout: https://hg.mozilla.org/integration/autoland/rev/cdc242832bf4bf19927f18751353bda8a961021e
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 6•4 years ago
|
||
| bugherder | ||
Description
•