CSP support - avoid inline script/style in tabzilla.js

RESOLVED WONTFIX

Status

Websites
Tabzilla
RESOLVED WONTFIX
5 years ago
3 years ago

People

(Reporter: Hanno Schlichting, Unassigned)

Tracking

(Blocks: 1 bug)

Details

(Reporter)

Description

5 years ago
I'm using tabzilla in the https://location.services.mozilla.com/ site. I've started adding strict CSP protections, but ran into a problem with tabzilla.js.

It's using both inline styles and an inline script tag in the current version at https://github.com/mozilla/bedrock/blob/master/bedrock/tabzilla/templates/tabzilla/tabzilla.js

Inside the loadJQuery function, it has "var script = document.createElement("script");" and than later tries to add it to the DOM.

And in the addMatchMediaPolyfill function, it sets both an inline style via "div.style.cssText = "position:absolute;top:-100em";" and later in the return via "div.innerHTML = "&shy;<style media=...". I think this function is only used for IE9 which doesn't support CSP, so it might just be a problem of generating a CSP warning.

Updated

4 years ago
Blocks: 1107980
As you might know, Bug 1151579 has replaced Tabzilla with a static Mozilla tab. The old assets are still available, but no site is probably using it. Closing all Tabzilla-related open bugs at this moment.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.