New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 825941 link

Starred by 3 users
Status: Available
Owner: ----
Cc:
andypaicu@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug



Sign in to add a comment

XML Viewer inline styles are blocked by server-provided CSP

Project Member Reported by marti...@chromium.org, Mar 26 2018 
Demo: https://www.martijnc.be/test/xml-csp.php

Chrome's XML viewer turns XML files into HTML and applies styling. This styling is blocked when the server-provided Content Security Policy doesn't allow inline styles (unsafe-inline) resulting in an unstyled, unreadable page.

Comment 1 by mkwst@chromium.org, Mar 27 2018

Cc: andypaicu@chromium.org
Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows
Status: Available (was: Untriaged)
We have a few instances of this across the codebase. At the moment, we don't have a reasonable way of excluding the browser-inserted style/script/whatever in the presence of a server-delivered policy. It's non-trivial to implement, and though I think it's probably worth doing, it hasn't bubbled up as important enough for folks to spend time on.

Triaging accordingly.

Comment 2 by phistuck@gmail.com, Oct 28 

#1 - here are two probably-easy-to-implement ways to improve this -
- You can move the content of that <style> to a user agent stylesheet (view-source.css already has some of the rules used by the XML viewer). That sounds easy and will already improve a lot.
- You can switch any JavaScript implemented expand/collapse to <summary> and <details>. That might require ::marker (not stable yet) to make it look the same, but even without it, it is better than the current situation. Less easy, I guess, but does not sound a lot harder.

Alternatively, you can make it fully use the view-source mode when (a relevant?) content security policy is active.

Sign in to add a comment