Is there an existing issue for this?
Which Mux Elements/Packages does this apply to? Select all that apply
mux-player, mux-player-react, playback-core
Which browsers are you using?
Chrome, Safari, Firefox, Edge ("Edgeium")
Which operating systems are you using?
macOS
Description
@mux/mux-player renders its error dialog using inline HTML event-handler attributes.
Under a strict Content-Security-Policy where script-src does not include 'unsafe-inline'
(and there is no script-src-attr override), the browser refuses these inline handlers and raises
script-src-attr / blocked-uri: inline violations.
Three inline handlers exist in the error-dialog rendering path:
| Handler |
Element |
Behavior |
When it fires |
onclick="window.location.reload(); return false;" |
retry <a> inside the error message |
reloads the page |
on click of the retry link |
onclose="${onCloseErrorDialog}" |
error dialog <media-theme> |
dialog close handler |
on dialog close |
onfocusin="${onFocusInErrorDialog}" |
error dialog <media-theme> |
focus-in handler |
on dialog open (not click-gated) |
The onclose/onfocusin handlers are not gated on user interaction; they trip CSP essentially
whenever an error dialog appears. None of these fire on normal (non-error) playback.
Note: even though the player's html template processor eventually rebinds on* values via
addEventListener and strips the attribute, the literal on*= text still lives in the template
HTML string that is parsed/cloned into the live DOM, so the browser attempts to compile the inline
handler (and CSP refuses it) before the processor removes the attribute. The retry-link onclick
is a genuine raw inline handler assembled in a MediaError message string in playback-core.
The fix is the same class for all three: stop expressing behavior as inline HTML attributes; attach
handlers to real DOM nodes via addEventListener after they exist. No new reliance on
'unsafe-inline'; behavior must stay identical.
Reduced test case
No response
Steps to reproduce
- Serve a page whose
Content-Security-Policy has a script-src with no 'unsafe-inline' and no script-src-attr override (or use Content-Security-Policy-Report-Only and listen for securitypolicyviolation).
- Load
<mux-player> on that page.
- Force an error state (e.g. a bad/expired playback ID) so the error dialog renders.
Current Behavior
- The browser refuses the dialog's inline
onclose/onfocusin handlers on dialog open, and the retry link's inline onclick on click.
- CSP violations are reported with
violated-directive: script-src-attr and blocked-uri: inline.
Expected Behavior
- The error dialog appears; focus/close behave normally; the retry link reloads the page.
- No
script-src-attr / blocked-uri: inline violation is raised.
- Works without the consuming page needing
'unsafe-inline' in script-src.
Errors
Refused to execute inline event handler because it violates the following Content Security Policy
directive: "script-src 'self' ...". Either the 'unsafe-inline' keyword, a hash, or a nonce is
required to enable inline execution.
(violated-directive: script-src-attr, blocked-uri: inline)
What version of the package are you using?
3.11.6
Is there an existing issue for this?
Which Mux Elements/Packages does this apply to? Select all that apply
mux-player, mux-player-react, playback-core
Which browsers are you using?
Chrome, Safari, Firefox, Edge ("Edgeium")
Which operating systems are you using?
macOS
Description
@mux/mux-playerrenders its error dialog using inline HTML event-handler attributes.Under a strict
Content-Security-Policywherescript-srcdoes not include'unsafe-inline'(and there is no
script-src-attroverride), the browser refuses these inline handlers and raisesscript-src-attr/blocked-uri: inlineviolations.Three inline handlers exist in the error-dialog rendering path:
onclick="window.location.reload(); return false;"<a>inside the error messageonclose="${onCloseErrorDialog}"<media-theme>onfocusin="${onFocusInErrorDialog}"<media-theme>The
onclose/onfocusinhandlers are not gated on user interaction; they trip CSP essentiallywhenever an error dialog appears. None of these fire on normal (non-error) playback.
Note: even though the player's
htmltemplate processor eventually rebindson*values viaaddEventListenerand strips the attribute, the literalon*=text still lives in the templateHTML string that is parsed/cloned into the live DOM, so the browser attempts to compile the inline
handler (and CSP refuses it) before the processor removes the attribute. The retry-link
onclickis a genuine raw inline handler assembled in a
MediaErrormessage string inplayback-core.The fix is the same class for all three: stop expressing behavior as inline HTML attributes; attach
handlers to real DOM nodes via
addEventListenerafter they exist. No new reliance on'unsafe-inline'; behavior must stay identical.Reduced test case
No response
Steps to reproduce
Content-Security-Policyhas ascript-srcwith no'unsafe-inline'and noscript-src-attroverride (or useContent-Security-Policy-Report-Onlyand listen forsecuritypolicyviolation).<mux-player>on that page.Current Behavior
onclose/onfocusinhandlers on dialog open, and the retry link's inlineonclickon click.violated-directive: script-src-attrandblocked-uri: inline.Expected Behavior
script-src-attr/blocked-uri: inlineviolation is raised.'unsafe-inline'inscript-src.Errors
Refused to execute inline event handler because it violates the following Content Security Policy
directive: "script-src 'self' ...". Either the 'unsafe-inline' keyword, a hash, or a nonce is
required to enable inline execution.
(violated-directive: script-src-attr, blocked-uri: inline)
What version of the package are you using?
3.11.6