| Summary: | CSP breaks soft-wrapping of plaintext documents unless unsafe-inline is used | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Adam Roben (:aroben) <aroben> |
| Component: | Layout and Rendering | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | bfulgham, dbates, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | 528+ (Nightly build) | ||
| Hardware: | Mac (Intel) | ||
| OS: | OS X 10.9 | ||
To reproduce: 1. Serve a plaintext document containing long lines with Content-Security-Policy header of "style-src 'none'" or stronger (like "default-src 'none'"). The lines should soft-wrap to match the browser width. But the lines do not wrap. In the JS console there is a warning that says: > Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. It looks like CSP is breaking the style attribute that WebKit puts on the <pre> element that wraps the plaintext contents. We were running into this when serving raw file contents from raw.github.com (I'm a GitHub engineer), so we added a "style-src 'unsafe-inline'" directive.