<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - WebKit blocks 'unsafe-inline' event handler upon execution, not upon setting"

   href="https://bugs.webkit.org/show_bug.cgi?id=160960">160960</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>WebKit blocks 'unsafe-inline' event handler upon execution, not upon setting

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>Safari 9

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore JavaScript

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>april&#64;pokeinthe.io

          </td>

        </tr></table>

      <p>

        <div>

        <pre>OS Version: OS X 10.11

URLs (if applicable) : <a href="http://output.jsbin.com/togusapobi">http://output.jsbin.com/togusapobi</a> / <a href="http://output.jsbin.com/wutojesugi">http://output.jsbin.com/wutojesugi</a>

Other browsers tested:

  Add OK or FAIL after other browsers where you have tested this issue:

       Safari: FAIL

   Firefox 48: OK

     IE 7/8/9: N/A

         Edge: OK

    Chrome 52: FAIL

What steps will reproduce the problem?

1. Set Content-Security-Policy to block 'unsafe-inline'

2. Add an event handler to an attribute via setAttribute('onclick') or via onclick attribute added to DOM node

What is the expected result?

In Firefox and Edge, this code will be successfully blocked on being set:

document.querySelector('button').setAttribute('onclick', 'alert(1)')

As will this inline event handler:

&lt;button onclick=&quot;alert(1);&quot;&gt;yay&lt;/button&gt;

What happens instead of that?

WebKit-based browsers block it upon execution, in violation of the CSP specification:

<span class="quote">&gt;  When an event handler content attribute is set, execute the following steps:

&gt;  

&gt;    If the Should element's inline behavior be blocked by Content Security Policy? algorithm returns &quot;Blocked&quot; when executed upon the attribute's element, &quot;script attribute&quot;, and the attribute's value, then abort these steps. [CSP]</span >

See also:

<a href="https://bugs.chromium.org/p/chromium/issues/detail?id=638957">https://bugs.chromium.org/p/chromium/issues/detail?id=638957</a>

<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1296027">https://bugzilla.mozilla.org/show_bug.cgi?id=1296027</a></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>