(Not) blocking 'style' attribute on <path> elements due Content Security Policy (CSP)
Reported by
schleckv...@gmail.com,
Jul 16
|
|
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Steps to reproduce the problem:
I use following header:
"Content-Security-Policy: default-src 'self' 'nonce-$nonce'"
I get following error message:
"Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' 'nonce-qEFIjCwl5578fwnq'". Either the 'unsafe-inline' keyword, a hash ('sha256-EQJpA8QOOWKq5XpDIYNJ+o9ZeZP2+ssElHJVTsx8o1E='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback."
It refers to following HTML code:
<path style="fill:#D7A304;" d="M 72.958,5 H 27.042 C 14.872,5 4.998,14.867 4.998,27.044 V 72.96 C 4.998,85.127 14.872,95 27.042,95 H 72.958 C 85.135,95 95.002,85.127 95.002,72.96 V 27.044 C 95.002,14.867 85.135,5 72.958,5 Z" />
<path style="fill:#ffffff;" d="M 50.329563,67.539974 30.06452,36.572669 h 40.529264 z" />
What is the expected behavior?
What went wrong?
The 'style' attribute is applied and not refused.
Did this work before? N/A
Chrome version: 67.0.3396.99 Channel: stable
OS Version: 10.0
Flash Version:
,
Jul 17
No, the problem is that the style is not blocked but I think the intention is to block it. |
|
►
Sign in to add a comment |
|
Comment 1 by est...@chromium.org
, Jul 16Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Owner: andypaicu@chromium.org
Status: Assigned (was: Unconfirmed)