Skip to content

Bug: mux-player error dialog uses inline on* event-handler attributes that violate a strict CSP #1341

Description

@Jerricho93

Is there an existing issue for this?

  • I have searched the existing issues

Which Mux Elements/Packages does this apply to? Select all that apply

mux-player, mux-player-react, playback-core

Which browsers are you using?

Chrome, Safari, Firefox, Edge ("Edgeium")

Which operating systems are you using?

macOS

Description

@mux/mux-player renders its error dialog using inline HTML event-handler attributes.
Under a strict Content-Security-Policy where script-src does not include 'unsafe-inline'
(and there is no script-src-attr override), the browser refuses these inline handlers and raises
script-src-attr / blocked-uri: inline violations.

Three inline handlers exist in the error-dialog rendering path:

Handler Element Behavior When it fires
onclick="window.location.reload(); return false;" retry <a> inside the error message reloads the page on click of the retry link
onclose="${onCloseErrorDialog}" error dialog <media-theme> dialog close handler on dialog close
onfocusin="${onFocusInErrorDialog}" error dialog <media-theme> focus-in handler on dialog open (not click-gated)

The onclose/onfocusin handlers are not gated on user interaction; they trip CSP essentially
whenever an error dialog appears. None of these fire on normal (non-error) playback.

Note: even though the player's html template processor eventually rebinds on* values via
addEventListener and strips the attribute, the literal on*= text still lives in the template
HTML string that is parsed/cloned into the live DOM, so the browser attempts to compile the inline
handler (and CSP refuses it) before the processor removes the attribute. The retry-link onclick
is a genuine raw inline handler assembled in a MediaError message string in playback-core.

The fix is the same class for all three: stop expressing behavior as inline HTML attributes; attach
handlers to real DOM nodes via addEventListener after they exist. No new reliance on
'unsafe-inline'; behavior must stay identical.

Reduced test case

No response

Steps to reproduce

  1. Serve a page whose Content-Security-Policy has a script-src with no 'unsafe-inline' and no script-src-attr override (or use Content-Security-Policy-Report-Only and listen for securitypolicyviolation).
  2. Load <mux-player> on that page.
  3. Force an error state (e.g. a bad/expired playback ID) so the error dialog renders.

Current Behavior

  • The browser refuses the dialog's inline onclose/onfocusin handlers on dialog open, and the retry link's inline onclick on click.
  • CSP violations are reported with violated-directive: script-src-attr and blocked-uri: inline.

Expected Behavior

  • The error dialog appears; focus/close behave normally; the retry link reloads the page.
  • No script-src-attr / blocked-uri: inline violation is raised.
  • Works without the consuming page needing 'unsafe-inline' in script-src.

Errors

Refused to execute inline event handler because it violates the following Content Security Policy
directive: "script-src 'self' ...". Either the 'unsafe-inline' keyword, a hash, or a nonce is
required to enable inline execution.
(violated-directive: script-src-attr, blocked-uri: inline)

What version of the package are you using?

3.11.6

Metadata

Metadata

Assignees

Labels

Status: UnconfirmedA potential issue that we haven't yet confirmed as a bug

Type

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions