Closed Bug 1939530 Opened 1 month ago Closed 1 month ago

CSP style-src-attr blocks SVG animation of flood-color

Categories

(Core :: DOM: Security, defect)

Firefox 133
defect

Tracking

()

RESOLVED DUPLICATE of bug 1459872

People

(Reporter: jemandel, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0

Steps to reproduce:

SVG animation attached with d3:
let flood = '#FF0000;0';
feFlood.append('animate')
.attr('attributeName', 'flood-color')
.attr('values', flood)

Actual results:

Content-Security-Policy: (Report-Only policy) The page’s settings would block an inline style (style-src-attr) from being applied because it violates the following directive: “style-src-attr 'none'”
Source: #FF0000

Note that the Source is the hex value. I have confirmed this behavior in Firefox on 2 Macs and 1 Windows machines. The only way to make the animation work on Firefox is to set style-src-attr to 'unsafe-inline'.

Expected results:

Nothing. This is what happens in Chrome and Safari on Mac and Chrome and Edge on Windows.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 1 month ago
Duplicate of bug: 1459872
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.