Bug 97053 - Take a closer look at 'unsafe-inline' for the 'style-src' CSP directive.
Summary: Take a closer look at 'unsafe-inline' for the 'style-src' CSP directive.
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-18 17:17 PDT by Mike West
Modified: 2016-04-12 13:10 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2012-09-18 17:17:56 PDT 
These all might need to be blocked when 'unsafe-inline' is not whitelisted for the 'style-src' Content Security Policy directive:

> * doc.body.style.background = "...";
> * doc.body.bgcolor = "...";
> * doc.body.appendChild(doc.createElement("font"));
> * bgcolor attributes appearing in the markup
> * <font> elements appearing in the markup

See http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0055.html for context.
Comment 1 Mike West 2013-02-07 11:00:46 PST 
Unassigning myself; let's be realistic about what I'm actually working on. :/
Comment 2 Brent Fulgham 2016-04-12 13:10:06 PDT 
The style-src changes in Bug 116508 may have addressed this. Dan, can you take a look?