[Webkit-unassigned] [Bug 166630] New: Inline styles added by Webkit when viewing PDFs cause CSP violation

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Dec 31 05:03:55 PST 2016 

https://bugs.webkit.org/show_bug.cgi?id=166630

            Bug ID: 166630
           Summary: Inline styles added by Webkit when viewing PDFs cause
                    CSP violation
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Windows 10
            Status: NEW
          Severity: Minor
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: j162011 at gmail.com

If a site has a CSP that disallows inline styles then a CSP violation report is sent when viewing a PDF

Steps to reproduce 
1) View a PDF document [1] on a site with a CSP that disallows inline styles
2) Open developer tools and look at the console

Actual results
* An error message showing a CSP violation is shown

[Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-1kQs8h/ra9YlH+s6eZbKdSD/cn6Ljcz2Rv60pJnk/eY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Expected results
A CSP violation should not happen.
The inline styles could be moved to a stylesheet to stop this happening

[1] for example: https://cuoc.soc.srcf.net/eventdetails/2015/cityrace/flyer.pdf

At the time of the bug report, the CSP on document [1] was

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'none'; img-src * data:; child-src 'none'; block-all-mixed-content; report-uri https://cfdfb69390e4d94a41b74106a231c475.report-uri.io/r/default/csp/reportOnly

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161231/3de8c4a1/attachment.html>

More information about the webkit-unassigned mailing list