Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hints doesn't work on Archlinux Security page. #531

Closed
0a-a opened this issue Nov 12, 2018 · 5 comments
Closed

Hints doesn't work on Archlinux Security page. #531

0a-a opened this issue Nov 12, 2018 · 5 comments
Labels
bug component: hints

Comments

@0a-a
Copy link

0a-a commented Nov 12, 2018

Steps to reproduce

  1. Open the site https://security.archlinux.org/
  2. Trigger any hints (f, ;x, ;o, etc)

Expected behaviour

Elements get highlighted and the keyhints show up
Highlight work, but no keyhints show up.

Actual behaviour

$ vimb --bug-info
Commit:          3.3.0-3-g502b49a
WebKit compile:  2.22.2
WebKit run:      2.22.2
GTK compile:     3.24.1
GTK run:         3.24.1
libsoup compile: 2.64.2
libsoup run:     2.64.2
Extension dir:   /usr/lib/vimb

Was the same with vimb version 3.2.
@fanglingsu
Copy link
Owner

@0a-a Thank you for reporting this issue. I can reproduce this. The hint-labels are kept as display: none, the default value when they are created. I assume that this is related to the error in the webinspector "Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.".
So that the Stylechanges of vimb could not be applied to the hinted elements or hint labels because the inline styles are not evaluated. We could remove the disaply:none part, but the inline set positions for the labels would also by denied. I'm note sure if there is a a working solution for this issue. Maybe we could do some shadow-DOM stuff to create the hintlabels.

@0a-a
Copy link
Author

0a-a commented Nov 20, 2018
edited
Loading

Seams that there's same or similar issue with https://pypi.org

latest-screenshot

@fanglingsu
Copy link
Owner

fanglingsu commented Nov 21, 2018
edited
Loading

Yes, this seems to be the same issue with the Content-Security-Policy.

The issue can be checked also by opening webinspector and running some JS
that creates elements with inline styles.

:e! document.body.innerHTML += '<div
style="position:absolute;width:100px;height:100px;z-index:100;background:#f00;left:0;top:0;">FOO</div>';

There is shown an error in webinspector like "Refused to apply a stylesheet
because its hash, its nonce, or 'unsafe-inline' does not appear in the
style-src directive of the Content Security Policy." and the element is not
styled right.

@fanglingsu
Copy link
Owner

I don't think we can do anything to bypass this securoty mechanism. OK we could, by removing the CSP headers before they are processed by webkit. But I don't want to remove this extra pice of security.
I've checked if it would be possible to style shadow DOM nodes, but this is also not allowed.

fanglingsu added a commit that referenced this issue Nov 21, 2018
@fanglingsu
Fixed none shown hint labels by CSP headers #531.
76bbf87 
The styling by elements style attribute might be forbidden by
Content-Security-Policy restrictions. But positioning of the elements by
the elements style object seems to work.
@fanglingsu
Copy link
Owner

I've change the JS logik to consequently use the elements style object to position and style them instead of the style attribute. I thought both where only two ways to make the same, but they are different, like we can see now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug component: hints
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fanglingsu @0a-a