CSP style-src-attr blocks SVG animation of flood-color
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: jemandel, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
Steps to reproduce:
SVG animation attached with d3:
let flood = '#FF0000;0';
feFlood.append('animate')
.attr('attributeName', 'flood-color')
.attr('values', flood)
Actual results:
Content-Security-Policy: (Report-Only policy) The page’s settings would block an inline style (style-src-attr) from being applied because it violates the following directive: “style-src-attr 'none'”
Source: #FF0000
Note that the Source is the hex value. I have confirmed this behavior in Firefox on 2 Macs and 1 Windows machines. The only way to make the animation work on Firefox is to set style-src-attr to 'unsafe-inline'.
Expected results:
Nothing. This is what happens in Chrome and Safari on Mac and Chrome and Edge on Windows.
Comment 1•1 month ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Updated•1 month ago
|
Description
•