Bug 227349

Summary:

Safari v14.1 CSP Violation - Usage of "element.removeAttribute("style")" causes style-src CSP Violation.

Product:

WebKit

Reporter:

Ramya <ramya.vivid>

Component:

DOM

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ahmad.saleem792, ap, bfulgham, cdumez, nickygencs, ramya.vivid, rniwa, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

Safari 14

Hardware:

All

OS:

macOS 11

Attachments:

Description	Flags
safari-CSP	none
Updated safari-csp-issue html with text message	none
Updated safari-csp-issue html with text message	none

Description Ramya 2021-06-24 06:04:29 PDT

Created attachment 432154 [details]
safari-CSP

Usage of element.removeAttribute("style") in safari v14.1 throws the following CSP Violation.

"Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy".

    Example:

    function removeStyle(){
        document.getElementById("section").removeAttribute("style"); // throws above CSP violation
    }

    CSP used:

    default-src 'none';
    connect-src 'self';
    script-src 'self';
    style-src 'self';

    Reference:

    Attached HTML file.

    Steps to reproduce:
    
    1. Open the demo html with safari v14.1
    2. Open the console to check the violation reported
    3. Click on change and remove color buttons
    4. Remove button - is executing the following - element.removeAttribute("style")
    5. On click of Remove - the above CSP violation will be reported in the console

Comment 1 Ramya 2021-06-24 22:40:27 PDT

Created attachment 432236 [details]
Updated safari-csp-issue html with text message

Comment 2 Ramya 2021-06-24 22:44:12 PDT

Created attachment 432237 [details]
Updated safari-csp-issue html with text message

Comment 3 Radar WebKit Bug Importer 2021-07-01 06:05:17 PDT

<rdar://problem/80020346>

Comment 4 Ahmad Saleem 2022-08-08 17:53:32 PDT

I am able to reproduce this bug in Safari 15.6 on macOS 12.5 and it gives following message in Console:

Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.

While all other browsers does not show any such message in Console. Thanks!

Comment 5 Charlie Wolfe 2022-08-15 16:57:37 PDT

Pull request: https://github.com/WebKit/WebKit/pull/3333

Comment 6 EWS 2022-09-12 15:09:25 PDT

Committed 254409@main (572f10393126): <https://commits.webkit.org/254409@main>

Reviewed commits have been landed. Closing PR #3333 and removing active labels.

Comment 7 nickygencs 2023-05-22 12:06:49 PDT

What version on safari is this fixed in?

Comment 8 Ahmad Saleem 2023-05-22 12:08:35 PDT

(In reply to nickygencs from comment #7)
> What version on safari is this fixed in?

Safari 16.4 <- if I am not wrong.

@jensimmons & others might be able to give precise information.