Unsafe CSP needed for `mozilla-video-poster`
janbrasna opened this issue · comments
Description
While reviewing potential CSP violations in the future, one such JS setting style unsafely is:
bedrock/media/js/base/mozilla-video-poster.js
Lines 72 to 85 in 3a4d7d6
The fix is simple, just converting video.setAttribute()
to video.style.*
directly.
However, this mozilla-video-poster.js
doesn't seem to be used anywhere, incl. its template markup as:
<div class="moz-video-container">
<button class="moz-video-button" …
Should it be removed instead of fixing?
Success Criteria
- Decision is made whether the script is to be kept at all, or not.
- Unsafe style resolved by updating the script, or removing it entirely.
Most of our videos today are served on YouTube, and whilst we do sometimes host video on our CDN, this particular script hasn't been used in a long time. I believe the idea around it originally was to show a branded video thumbnail pre-click, but given that all browsers today support the poster
attribute, maybe we no longer need this?
It can always be brought back via Git history, so I'd vote to remove it if no longer used.
Hii, @alexgibson should i pick this one?
@Ayushsunny if you're able, then yes please feel free. Pull requests are welcome.
Ah okay it's really just a 10yo IE9 shim for posters: #2181 that can be pretty much forgotten today.
Seems like any moz-video-*
styles have been long removed already, so it's probably safe to just delete @Ayushsunny
Ah okay it's really just a 10yo IE9 shim for posters: #2181 that can be pretty much forgotten today.
Seems like any
moz-video-*
styles have been long removed already, so it's probably safe to just delete @Ayushsunny
Hi @janbrasna , So just deleting the mozilla-video-poster.js
file would work and fix this issue? that is it?
Ah okay it's really just a 10yo IE9 shim for posters: #2181 that can be pretty much forgotten today.
Seems like anymoz-video-*
styles have been long removed already, so it's probably safe to just delete @AyushsunnyHi @janbrasna , So just deleting the
mozilla-video-poster.js
file would work and fix this issue? that is it?
@alexgibson , @janbrasna any update?
Yes, deleting the file is all that's needed.