Bug Tracker

Ticket #11249 (closed bug: fixed)

Opened 3 years ago

Last modified 2 years ago

CSP error in Chrome 18 when loading jQuery 1.7.1

Reported by: adblockforchrome Owned by: dmethvin
Priority: low Milestone: 1.8
Component: support Version: 1.7.1
Keywords: Cc:
Blocking: Blocked by:

Description (last modified by sindresorhus) (diff)

jQuery version 1.7.1 Chrome version 18.0.1003.1

Repro:

  1. Load in Chrome the extension that is attached to this post (unzip the .zip then drag the .crx onto Chrome).
  2. Open the Web Inspector Console on the page that appears.

Expected results: No errors. The page does nothing but load jQuery.

Actual results: 5 "Refused to apply inline style because of Content-Security-Policy." errors.

 Test case

---

You can unzip the attachment and drag the .crx onto Chrome to install it. Here is the contents of the extension. The important part is that manifest.json enables CSP, and page.html includes jQuery.

manifest.json:

{
  "name": "jQuery CSP fail",
  "version": "1",
  "permissions": [ "http://*/*", "https://*/*" ],
  "content_security_policy": "default-src 'self'",
  "background_page": "background.html"
}

background.html:

<script src="background.js"></script>

background.js:

chrome.tabs.create({url:"page.html"});

page.html:

<!DOCTYPE html>
<html>
  <head><script src="jquery.min.js"></script></head>
  <body>
    Open the Web Inspector console to see the jQuery errors.
  </body>
</html>

jquery.min.js:

The minified jQuery 1.7.1 code.

Change History

comment:2 Changed 3 years ago by sindresorhus

  • Description modified (diff)

comment:3 Changed 2 years ago by dmethvin

  • Owner set to adblockforchrome
  • Status changed from new to pending

Chrome 18 is not released, right? Does it work in Chrome 16? If so it sounds like this should be reported to the Chrome bug tracker.

comment:4 Changed 2 years ago by davidhong

comment:5 Changed 2 years ago by trac-o-bot

  • Status changed from pending to closed
  • Resolution set to invalid

Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!

comment:6 Changed 2 years ago by rwaldron

#11487 is a duplicate of this ticket.

comment:7 Changed 2 years ago by rwaldron

  • Status changed from closed to reopened
  • Resolution invalid deleted

Reopening for review

comment:8 Changed 2 years ago by Jon Oberheide

CSP incompatibility (either through inline js or inline style setting) will definitely become more of an issue for JS libs like jQuery as CSP adoption increases.

comment:9 Changed 2 years ago by trhaynes

Is there a reason why jQuery applies inline styles for effects instead of modifying the DOM directly (element.style.foo = bar). The former will raise these "Refused to apply inline style" errors while the latter will not.

comment:10 Changed 2 years ago by rwaldron

  • Status changed from reopened to pending

We need confirmation that this is still an issue.

comment:11 Changed 2 years ago by trac-o-bot

  • Status changed from pending to closed
  • Resolution set to invalid

Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!

comment:12 Changed 2 years ago by davidben

This ticket is still valid. jQuery uses inline styles in a number of places which trips up the default Content-Security-Policy. (Inline style is forbidden to prevent attacker-injected styles from rearranging UI and potentially causing a clickjacking attack and more complex attacks like using attribute selectors to sniff the contents of a form field.)

I can't seem to attach files, but here's a patch that fixes it. I don't have easy access to IE6-8, and this is in I imagine a somewhat hairy part of the code. But I believe I haven't regressed the unit tests Firefox, Safari, Chrome, Opera, and IE9.

 http://web.mit.edu/davidben/Public/jquery-inline-style.patch

comment:13 Changed 2 years ago by anthonyryan1@…

This bug valid. What is the process for having this re-opened?

comment:14 Changed 2 years ago by dmethvin

  • Status changed from closed to reopened
  • Resolution invalid deleted

comment:15 Changed 2 years ago by dmethvin

#12037 is a duplicate of this ticket.

comment:16 Changed 2 years ago by dmethvin

  • Owner changed from adblockforchrome to dmethvin
  • Priority changed from undecided to low
  • Status changed from reopened to assigned
  • Component changed from unfiled to support
  • Milestone changed from None to 1.8

comment:17 Changed 2 years ago by dmethvin

  • Status changed from assigned to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.