Status

addons.mozilla.org Graveyard
Code Quality
RESOLVED INVALID
7 years ago
2 years ago

People

(Reporter: clouserw, Assigned: andym)

Tracking

unspecified
Q2 2011

Details

(Reporter)

Description

7 years ago
grep says these files have <style> tags in them which will break with CSP:

apps/browse/templates/browse/base_listing.html
apps/amo/templates/amo/category-arrow.html
(Reporter)

Updated

7 years ago
Blocks: 594584
Is that true? I can't really tell from the spec (https://wiki.mozilla.org/Security/CSP/Specification), but it seems unlikely.

style-src

    Indicates which sources are valid for externally linked stylesheets.
    User Agents MUST always allow inline stylesheets and style attributes of HTML tags.
    User Agents MUST NOT request stylesheets from sources not allowed by the style-src directive.
    User Agents MUST subject stylesheet requests to the allow directive if style-src is not explicitly specified. 

And does this include style="" attributes too?
(Reporter)

Comment 2

7 years ago
Hmm, I think you are right that the bug is invalid, due to:

> This includes externally linked stylesheets, as well as 
> inline <style> elements and style attributes of HTML elements 
> within the protected document

Which would mean as long as we had 'self' in there, we could load off the pages.  At least that's how I'm reading it.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.