Bug 227349

Summary: Safari v14.1 CSP Violation - Usage of "element.removeAttribute("style")" causes style-src CSP Violation.
Product: WebKit Reporter: Ramya <ramya.vivid>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ahmad.saleem792, ap, bfulgham, cdumez, nickygencs, ramya.vivid, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 14   
Hardware: All   
OS: macOS 11   
Attachments:
Description Flags
safari-CSP
none
Updated safari-csp-issue html with text message
none
Updated safari-csp-issue html with text message none

Ramya
Reported 2021-06-24 06:04:29 PDT
Created attachment 432154 [details] safari-CSP Usage of element.removeAttribute("style") in safari v14.1 throws the following CSP Violation. "Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy". Example: function removeStyle(){ document.getElementById("section").removeAttribute("style"); // throws above CSP violation } CSP used: default-src 'none'; connect-src 'self'; script-src 'self'; style-src 'self'; Reference: Attached HTML file. Steps to reproduce: 1. Open the demo html with safari v14.1 2. Open the console to check the violation reported 3. Click on change and remove color buttons 4. Remove button - is executing the following - element.removeAttribute("style") 5. On click of Remove - the above CSP violation will be reported in the console
Attachments
safari-CSP (1.80 KB, text/html)
2021-06-24 06:04 PDT, Ramya 		no flags
Details
Updated safari-csp-issue html with text message (2.26 KB, text/html)
2021-06-24 22:40 PDT, Ramya 		no flags
Details
Updated safari-csp-issue html with text message (2.26 KB, text/html)
2021-06-24 22:44 PDT, Ramya 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ramya
Comment 1 2021-06-24 22:40:27 PDT
Created attachment 432236 [details] Updated safari-csp-issue html with text message
Ramya
Comment 2 2021-06-24 22:44:12 PDT
Created attachment 432237 [details] Updated safari-csp-issue html with text message
Radar WebKit Bug Importer
Comment 3 2021-07-01 06:05:17 PDT
<rdar://problem/80020346>
Ahmad Saleem
Comment 4 2022-08-08 17:53:32 PDT
I am able to reproduce this bug in Safari 15.6 on macOS 12.5 and it gives following message in Console: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. While all other browsers does not show any such message in Console. Thanks!
Charlie Wolfe
Comment 5 2022-08-15 16:57:37 PDT
Pull request: https://github.com/WebKit/WebKit/pull/3333
EWS
Comment 6 2022-09-12 15:09:25 PDT
Committed 254409@main (572f10393126): <https://commits.webkit.org/254409@main> Reviewed commits have been landed. Closing PR #3333 and removing active labels.
nickygencs
Comment 7 2023-05-22 12:06:49 PDT
What version on safari is this fixed in?
Ahmad Saleem
Comment 8 2023-05-22 12:08:35 PDT
(In reply to nickygencs from comment #7) > What version on safari is this fixed in? Safari 16.4 <- if I am not wrong. @jensimmons & others might be able to give precise information.
Note You need to log in before you can comment on or make changes to this bug.