Open Bug 1777166 Opened 2 years ago Updated 2 years ago

CSP nonce not honored for dynamically inserted <template> element, inline style blocked.

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 102
Type:
defect

Tracking

()

People

(Reporter: joachim.otto, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog2])

Attachments

(1 file)

csp-template.html
566 bytes, text/html
Details

Steps to reproduce:

Open the page attached in Firefox and check the console of the "Developer Tools".

Actual results:

The colour of text "Test" on the page should be red; it is actually black, i.e. the styling is not being applied.

Expected results:

The text "Test" on the page should be coloured in red; there should be no CSP issue reported in "Developer Tools". The page works flawless in Chrome and Safari.

Remark: If you use a "div" instead of the "template" element, no CSP error occurs.

window.navigator.userAgent:
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0"

Attached file csp-template.html

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Blocks: csp-w3c-3
Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Summary: CSP Issue With Fragment And Inline Style → CSP nonce not honored for dynamically inserted <template> element, inline style blocked.
Whiteboard: [domsecurity-backlog2]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: