Closed
Bug 788337
Opened 12 years ago
Closed 11 years ago
(CSP) when blocking inline stylesheets, also block animation events and indirect style manipulations parsed from strings.
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 763879
People
(Reporter: geekboy, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
3.93 KB,
patch
|
Details | Diff | Splinter Review |
In bug 763879, we're implementing inline stylesheet blocking (style element and style attribute), but there are other things that can change style and can be injected into a page (SMIL animation, etc). We should identify all of these and figure out how to block them.
Reporter | ||
Comment 1•12 years ago
|
||
Here are some tests for things we should block when CSP disallows inline styles. Are there more?
Comment 2•12 years ago
|
||
> We should identify all of these and figure out how to block them.
Or -if- we want to block them.
Comment 3•12 years ago
|
||
FYI: <dholbert> for animations, you could e.g. add a check in nsSVGAnimationElement::GetTargetElementContent(), http://mxr.mozilla.org/mozilla-central/source/content/svg/content/src/nsSVGAnimationElement.cpp#116 <dholbert> or you could block it even earlier, too (In reply to Daniel Veditz [:dveditz] from comment #2) > Or -if- we want to block them. Yes, we should block them because they have very similar properties to inline CSS. <dholbert> so there is a potentially-legitimate reason to want to block <animate> with a CSP rule, even if it's not targeting something truly-external, e.g. if you're including a block of user-generated content in your page, and you don't want that content to be able to arbitrarily animate stuff elsewhere on the page
Comment 4•11 years ago
|
||
Going to handle this as part of bug 763879
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Comment 5•11 years ago
|
||
The "indirect style manipulations parsed from strings" part of this is now bug 873302.
You need to log in
before you can comment on or make changes to this bug.
Description
•