Timing issue using preload with Content-Security-Policy (CSP)
Reported by
matt...@mysociety.org,
Nov 7 2017
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36 Steps to reproduce the problem: 1. Have a page with a Content-Security-Policy banning inline style, with a nonce. 2. Add a <link rel="preload" href="style.css" as="style"> 3. Have some script after that to set the onload handler of the link to set rel="stylesheet". See attachment. What is the expected behavior? The stylesheet is always activated when loaded. What went wrong? If there is any delay in the setting of the handler, and the file is cached/loads very quickly, then the link's load event fires before the handler is attached and the stylesheet isn't activated. I am assuming this can't happen with an inline event handler? But I can't use an inline event handler due to the Content-Security-Policy header. If it can be guaranteed that an immediate setting of the handler after the link will be attached in time, then that is fine, but I couldn't find any documentation as to whether this would be the case or not; any users of rel=preload on stylesheets appears to use an inline event handler. Did this work before? No Does this work in other browsers? N/A Chrome version: 62.0.3202.75 Channel: stable OS Version: OS X 10.12.6 Flash Version:
,
Nov 9 2017
matthew@ Thank you for the issue. Tested this issue on Mac OS 10.12.6 using the latest Stable 62.0.3202.89, Canary 64.0.3262.0 and on the reported version 62.0.3202.7 by following the below steps. 1. launched Chrome and opened the given html page. 2. Opened Devtools -> Console and could see some errors on the console. Attached is the screen cast for reference. Can you please check and confirm is we have tested this issue with the correct steps. Also request you to please provide us the expected behavior and steps to reproduce this issue and a screen cast will be helpful for the better understanding. Thanks
,
Nov 9 2017
Hi Susan, Thanks for the screencast. I didn't include an empty style.css file, as that seemed superfluous to the actual issue, but perhaps I wasn't clear enough, sorry. I have provided a new HTML file and associated style.css that will show the issue, with an artificial delay of a few milliseconds. I have also attached a screencast to confirm this. My question is how can you attach an onload event handler to a link and guarantee that it will be run, without using an inline event handler. I hope that makes things clear.
,
Nov 9 2017
Thank you for providing more feedback. Adding requester "susanjuniab@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 10 2017
,
Nov 10 2017
,
Feb 18 2018
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by dtapu...@chromium.org
, Nov 8 2017