788337 - (CSP) when blocking inline stylesheets, also block animation events and indirect style manipulations parsed from strings.

Status: RESOLVED DUPLICATE of bug 763879

(Core :: DOM: Core & HTML, defect)

Description

[Sid Stamm [:geekboy or :sstamm]]

In bug 763879, we're implementing inline stylesheet blocking (style element and style attribute), but there are other things that can change style and can be injected into a page (SMIL animation, etc).  We should identify all of these and figure out how to block them.

Comment 1

[Sid Stamm [:geekboy or :sstamm]]

Attachment: tests for starters

Here are some tests for things we should block when CSP disallows inline styles.  Are there more?

Comment 2

[Daniel Veditz [:dveditz]]

> We should identify all of these and figure out how to block them.

Or -if- we want to block them.

Comment 3

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

FYI:

<dholbert> for animations, you could e.g. add a check in nsSVGAnimationElement::GetTargetElementContent(),  http://mxr.mozilla.org/mozilla-central/source/content/svg/content/src/nsSVGAnimationElement.cpp#116

<dholbert> or you could block it even earlier, too

(In reply to Daniel Veditz [:dveditz] from comment #2)
> Or -if- we want to block them.

Yes, we should block them because they have very similar properties to inline CSS.

<dholbert> so there is a potentially-legitimate reason to want to block <animate> with a CSP rule, even if it's not targeting something truly-external, e.g. if you're including a block of user-generated content in your page, and you don't want that content to be able to arbitrarily animate stuff elsewhere on the page

Comment 4

[Ian Melven :imelven]

Going to handle this as part of bug 763879

Comment 5

[Ian Melven :imelven]

The "indirect style manipulations parsed from strings" part of this is now bug 873302.