Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Safari v14.1 CSP Violation - Usage of "element.removeAttribute("style…
…")" causes style-src CSP Violation. https://bugs.webkit.org/show_bug.cgi?id=227349 <rdar://80020346> Reviewed by Brent Fulgham. If the new style string is null, clear the inline style without checking if the element's inline type should be blocked by CSP. This behavior matches Chrome and Firefox. * Source/WebCore/dom/StyledElement.cpp: (WebCore::StyledElement::styleAttributeChanged): * LayoutTests/http/tests/security/contentSecurityPolicy/allow-inline-remove-attribute-expected.txt: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/allow-inline-remove-attribute.html: Added. Canonical link: https://commits.webkit.org/254409@main
- Loading branch information
1 parent
2602b20
commit 572f10393126fefe8d887573d2644b27931a2516
Showing
3 changed files
with
55 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| CONSOLE MESSAGE: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. | ||
| CONSOLE MESSAGE: PASS: style attribute successfully removed. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| <!DOCTYPE html> | ||
| <html lang="en"> | ||
|
|
||
| <head> | ||
| <meta charset="utf-8" /> | ||
| <meta http-equiv="Content-Security-Policy" content=" | ||
| default-src 'none'; | ||
| connect-src 'self'; | ||
| script-src 'self' 'sha256-kSyfQ4joIKFsQ/vuAU0PsTihY+jZ6waGXCmEWp6wMf4='; | ||
| style-src 'self' 'sha256-abBtF99/+bWrkA5qp1+WvGjHjqVlNpUWZD8/uEg8wKA='; | ||
| " /> | ||
| <style> | ||
| .section { | ||
| height: 50vh; | ||
| width: 100vw; | ||
| background: paleturquoise; | ||
| display: flex; | ||
| flex-direction: COLUMN; | ||
| justify-content: center; | ||
| } | ||
| </style> | ||
| </head> | ||
|
|
||
| <body> | ||
| <div class="container"> | ||
| <div class="section" id="section"> | ||
| </div> | ||
| </div> | ||
| <script> | ||
| if (window.testRunner) { | ||
| testRunner.dumpAsText(); | ||
| testRunner.waitUntilDone(); | ||
| } | ||
| let section = document.getElementById("section"); | ||
| section.style.backgroundColor = "#2196f3"; | ||
| section.setAttribute("style", "background-color: #2196f3"); | ||
| section.removeAttribute("style"); | ||
|
|
||
| if (section.style.backgroundColor == "rgb(33, 150, 243)") { | ||
| console.log("FAIL: style attribute was not removed."); | ||
| } | ||
| else { | ||
| console.log("PASS: style attribute successfully removed."); | ||
| } | ||
| testRunner.notifyDone(); | ||
| </script> | ||
| </body> | ||
|
|
||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters