Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CSP 1.1: 'unsafe-eval' blocks certain CSSOM operations.
In [1] and [2], Mozilla proposed treating certain bits of the CSSOM in the same way we treat JavaScript operations like 'eval'. Specifically, those bits of the CSSOM like the 'cssText' setters and 'insertRule' methods directly interpret strings as CSS rules and declarations, and can and will be used to attack protected resources. This patch implements the suggestion in comment #0 of [2]. Comment #1 on the same bug goes further, asking for a more blanket restriction on setters of all kinds, including direct property setters. If the WG determines that that's the right balance to strike, a future patch can tighten the restrictions. [1]: http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0097.html [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=873302
- Loading branch information