Closed Bug 655201 Opened 13 years ago Closed 13 years ago

Inline styles gotta go

Categories

(addons.mozilla.org Graveyard :: Code Quality, defect)

Product:
addons.mozilla.org Graveyard
Component:
Code Quality
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID
Milestone:
Q2 2011

People

(Reporter: clouserw, Assigned: andy+bugzilla)

References

Details

grep says these files have <style> tags in them which will break with CSP:

apps/browse/templates/browse/base_listing.html
apps/amo/templates/amo/category-arrow.html
Blocks: 594584
Is that true? I can't really tell from the spec (https://wiki.mozilla.org/Security/CSP/Specification), but it seems unlikely.

style-src

    Indicates which sources are valid for externally linked stylesheets.
    User Agents MUST always allow inline stylesheets and style attributes of HTML tags.
    User Agents MUST NOT request stylesheets from sources not allowed by the style-src directive.
    User Agents MUST subject stylesheet requests to the allow directive if style-src is not explicitly specified. 

And does this include style="" attributes too?
Hmm, I think you are right that the bug is invalid, due to:

> This includes externally linked stylesheets, as well as 
> inline <style> elements and style attributes of HTML elements 
> within the protected document

Which would mean as long as we had 'self' in there, we could load off the pages.  At least that's how I'm reading it.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.