Closed Bug 1112889 Opened 10 years ago Closed 2 years ago

Firefox reports a CSP violation when using the "onload" attribute on a div

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
34 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: guranator, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Steps to reproduce: 1. Specify a CSP that does NOT have 'unsafe-inline'. 2. In a .html file include <div ng-include="<src>" onload="<function()>"></div> 3. Open the page in Firefox. Actual results: The following error message is reported in the console: Content Security Policy: The page's settings blocked the loading of a resource at self (""). onload attribute on DIV element Expected results: There should be no CSP violation since the "onload" event is not valid for the <div> element.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Summary: Firefox reports a CSP violation when using the "onload" attribute for ng-iclude → Firefox reports a CSP violation when using the "onload" attribute on a div
We should investigate and fix that.
Whiteboard: [domsecurity-backlog]

The <div> element is specified as supporting the Global attributes. onload is on a list headed by:

The following event handler content attributes may be specified on any HTML element:

If you think the above is incorrect that would be an issue with our Core HTML implementation, not CSP. CSP is going to block script and report errors anywhere Firefox supports script. Anything less would allow security violations.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.