128990 – CSP breaks soft-wrapping of plaintext documents unless unsafe-inline is used

Bug 128990 - CSP breaks soft-wrapping of plaintext documents unless unsafe-inline is used

Summary: CSP breaks soft-wrapping of plaintext documents unless unsafe-inline is used

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac (Intel) OS X 10.9

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2014-02-18 12:47 PST by Adam Roben (:aroben)
Modified:	2016-05-27 12:30 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adam Roben (:aroben) 2014-02-18 12:47:30 PST

To reproduce:

1. Serve a plaintext document containing long lines with Content-Security-Policy header of "style-src 'none'" or stronger (like "default-src 'none'").

The lines should soft-wrap to match the browser width.

But the lines do not wrap. In the JS console there is a warning that says:

> Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

It looks like CSP is breaking the style attribute that WebKit puts on the <pre> element that wraps the plaintext contents.

We were running into this when serving raw file contents from raw.github.com (I'm a GitHub engineer), so we added a "style-src 'unsafe-inline'" directive.

Comment 1 Radar WebKit Bug Importer 2016-05-27 12:30:12 PDT

<rdar://problem/26522742>