I'm using tabzilla in the https://location.services.mozilla.com/ site. I've started adding strict CSP protections, but ran into a problem with tabzilla.js. It's using both inline styles and an inline script tag in the current version at https://github.com/mozilla/bedrock/blob/master/bedrock/tabzilla/templates/tabzilla/tabzilla.js Inside the loadJQuery function, it has "var script = document.createElement("script");" and than later tries to add it to the DOM. And in the addMatchMediaPolyfill function, it sets both an inline style via "div.style.cssText = "position:absolute;top:-100em";" and later in the return via "div.innerHTML = "­<style media=...". I think this function is only used for IE9 which doesn't support CSP, so it might just be a problem of generating a CSP warning.
As you might know, Bug 1151579 has replaced Tabzilla with a static Mozilla tab. The old assets are still available, but no site is probably using it. Closing all Tabzilla-related open bugs at this moment.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.