CSP nonce not honored for dynamically inserted <template> element, inline style blocked.
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: joachim.otto, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
Attachments
(1 file)
566 bytes,
text/html
|
Details |
Steps to reproduce:
Open the page attached in Firefox and check the console of the "Developer Tools".
Actual results:
The colour of text "Test" on the page should be red; it is actually black, i.e. the styling is not being applied.
Expected results:
The text "Test" on the page should be coloured in red; there should be no CSP issue reported in "Developer Tools". The page works flawless in Chrome and Safari.
Remark: If you use a "div" instead of the "template" element, no CSP error occurs.
window.navigator.userAgent:
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0"
Comment 2•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Updated•2 years ago
|
Description
•