[Webkit-unassigned] [Bug 227349] New: Safari v14.1 - CSP Violation ('style-src') is thrown if removeAttribute("style") is used in any element.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 24 06:04:29 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=227349
Bug ID: 227349
Summary: Safari v14.1 - CSP Violation ('style-src') is thrown
if removeAttribute("style") is used in any element.
Product: WebKit
Version: Safari 14
Hardware: All
OS: macOS 11
Status: NEW
Severity: Normal
Priority: P2
Component: DOM
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ramya.vivid at gmail.com
Created attachment 432154
--> https://bugs.webkit.org/attachment.cgi?id=432154&action=review
safari-CSP
Usage of element.removeAttribute("style") in safari v14.1 throws the following CSP Violation.
"Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy".
Example:
function removeStyle(){
document.getElementById("section").removeAttribute("style"); // throws above CSP violation
}
CSP used:
default-src 'none';
connect-src 'self';
script-src 'self';
style-src 'self';
Reference:
Attached HTML file.
Steps to reproduce:
1. Open the demo html with safari v14.1
2. Open the console to check the violation reported
3. Click on change and remove color buttons
4. Remove button - is executing the following - element.removeAttribute("style")
5. On click of Remove - the above CSP violation will be reported in the console
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210624/19789de0/attachment.htm>
More information about the webkit-unassigned
mailing list