Closed Bug 788337 Opened 7 years ago Closed 7 years ago
(CSP) when blocking inline stylesheets, also block animation events and indirect style manipulations parsed from strings
In bug 763879, we're implementing inline stylesheet blocking (style element and style attribute), but there are other things that can change style and can be injected into a page (SMIL animation, etc). We should identify all of these and figure out how to block them.
Here are some tests for things we should block when CSP disallows inline styles. Are there more?
> We should identify all of these and figure out how to block them. Or -if- we want to block them.
FYI: <dholbert> for animations, you could e.g. add a check in nsSVGAnimationElement::GetTargetElementContent(), http://mxr.mozilla.org/mozilla-central/source/content/svg/content/src/nsSVGAnimationElement.cpp#116 <dholbert> or you could block it even earlier, too (In reply to Daniel Veditz [:dveditz] from comment #2) > Or -if- we want to block them. Yes, we should block them because they have very similar properties to inline CSS. <dholbert> so there is a potentially-legitimate reason to want to block <animate> with a CSP rule, even if it's not targeting something truly-external, e.g. if you're including a block of user-generated content in your page, and you don't want that content to be able to arbitrarily animate stuff elsewhere on the page
Going to handle this as part of bug 763879
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 763879
The "indirect style manipulations parsed from strings" part of this is now bug 873302.
You need to log in before you can comment on or make changes to this bug.