Closed Bug 1727302 Opened 4 years ago Closed 4 years ago

Add onsecuritypolicyviolation event handler

Categories

(Core :: DOM: Core & HTML, enhancement, P3)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox93 --- fixed

People

(Reporter: soniasingla, Assigned: soniasingla)

Details

(Keywords: dev-doc-complete)

Attachments

(1 file)

Bug 1727302 - Add onsecuritypolicyviolation event handler.r?smaug
48 bytes, text/x-phabricator-request
Details | Review

See: https://github.com/whatwg/html/pull/2651

Webkit started on adding it, it would be nice to have it in firefox too.

Webkit bug: https://bugs.webkit.org/show_bug.cgi?id=229381

I am working on it

Assignee: nobody → soniasingla.1812
Priority: -- → P3
Severity: -- → S3
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e7459f43c367 Add onsecuritypolicyviolation event handler.r=smaug

https://hg.mozilla.org/mozilla-central/rev/e7459f43c367

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
status-firefox93: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch

I'm adding docs for this in FF93, which you can track in https://github.com/mdn/content/issues/8614

From what I can see, and basic testing, this adds a global onsecuritypolicyviolation event handler. I think this means that you can now use onsecuritypolicyviolation on window or document or any other element. Before this change on Firefox you couldn't use onsecuritypolicyviolation at all (though you could use addEventListener on document or Window). Is that about right?

The spec says "The following event handler content attributes may be specified on any HTML element:". However I wrote some test code and found that a handler added to <p> or <img> using onsecuritypolicyviolation does not seem to be fired - while it is for Document or Window. My test shows that the method is not undefined (using typeof) so presumably it exists.

Perhaps this is because of the nature of the API. If you add the handler before the HTML is loaded (before a violation) presumably the element is null - and so you won't be able to add the handler. If you add a script after HTML has loaded the violation has already occurred, so you won't see the event at all. In other words it feels like even though you can add this to elements, you will never actually see it fired if you do. Does that make sense?

Is there any more "specialness" to this?

Flags: needinfo?(soniasingla.1812)

@Hamish Are you able to get the handler fired if you register it on <p> or <img> via addEventListener instead of an onsecuritypolicyviolation IDL/content attribute?

Flags: needinfo?(hamishwillee)

@fredw No.

Note that if load scripts before the HTML has loaded the p and img are null - so that fails. If I add after they have loaded the event has already been fired so I don't get the handler called. I guess it works for the window because that exists before the event fires

Flags: needinfo?(hamishwillee)

@Hamish: OK, i guess that's expected then. The new attributes should behave the same as addEventListener. (note that WPT tests just use rely on EventTarget.dispatchEvent to emulate an event).

I guess it is. Though it feels a bit odd, and of course I worry my test code is wrong. I'll add a note in the docs to highlight the case.

FYI work for this is essentially complete, though will be going through review. You can track in https://github.com/mdn/content/issues/8614#issuecomment-913969124. I have added dev-doc-complete.

Thank you for your help Frédéric.

Flags: needinfo?(soniasingla.1812)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: