Giters

mozilla / bedrock

Making mozilla.org awesome, one pebble at a time

Home Page:https://www.mozilla.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Unsafe CSP needed for `mozilla-video-poster`

janbrasna opened this issue · comments

commented

Description

While reviewing potential CSP violations in the future, one such JS setting style unsafely is:

bedrock/media/js/base/mozilla-video-poster.js

Lines 72 to 85 in 3a4d7d6

video.setAttribute('style', 'visibility: visible;');
try {
if (video && video.readyState && video.readyState > 0) {
video.play();
} else {
video.load();
video.play();
}
} catch (e) {
// fail silently.
}
poster.setAttribute('style', 'display: none;');

The fix is simple, just converting video.setAttribute() to video.style.* directly.

However, this mozilla-video-poster.js doesn't seem to be used anywhere, incl. its template markup as:

<div class="moz-video-container">
  <button class="moz-video-button"

Should it be removed instead of fixing?

Success Criteria

  • Decision is made whether the script is to be kept at all, or not.
  • Unsafe style resolved by updating the script, or removing it entirely.
commented

Most of our videos today are served on YouTube, and whilst we do sometimes host video on our CDN, this particular script hasn't been used in a long time. I believe the idea around it originally was to show a branded video thumbnail pre-click, but given that all browsers today support the poster attribute, maybe we no longer need this?

It can always be brought back via Git history, so I'd vote to remove it if no longer used.

commented

Hii, @alexgibson should i pick this one?

commented

@Ayushsunny if you're able, then yes please feel free. Pull requests are welcome.

commented

Ah okay it's really just a 10yo IE9 shim for posters: #2181 that can be pretty much forgotten today.

Seems like any moz-video-* styles have been long removed already, so it's probably safe to just delete @Ayushsunny

commented

Ah okay it's really just a 10yo IE9 shim for posters: #2181 that can be pretty much forgotten today.

Seems like any moz-video-* styles have been long removed already, so it's probably safe to just delete @Ayushsunny

Hi @janbrasna , So just deleting the mozilla-video-poster.js file would work and fix this issue? that is it?

commented

Ah okay it's really just a 10yo IE9 shim for posters: #2181 that can be pretty much forgotten today.
Seems like any moz-video-* styles have been long removed already, so it's probably safe to just delete @Ayushsunny

Hi @janbrasna , So just deleting the mozilla-video-poster.js file would work and fix this issue? that is it?

@alexgibson , @janbrasna any update?

commented

Yes, deleting the file is all that's needed.