browser-compat-data icon indicating copy to clipboard operation
browser-compat-data copied to clipboard
verified publisher icon mdn

api.Element.securitypolicyviolation_event - it's not deprecated

Open OnkarRuikar opened this issue 3 years ago • 2 comments

What information was incorrect, unhelpful, or incomplete?

Very first commit for this event got added with "deprecated": true.

Current speck Content Security Policy Level 3 says:

Given a violation (violation), this algorithm reports it to the endpoint specified in violation’s policy, and fires a SecurityPolicyViolationEvent at violation’s element, or at violation’s global object as described below:

Fire an event named securitypolicyviolation that uses the SecurityPolicyViolationEvent interface at target

What did you expect to see?

See the event named securitypolicyviolation as not deprecated.

Did you test this? If so, how?

Google Chrome 98, and Firefox 97 on Windows 10.

MDN page report details
  • Query: api.Element.securitypolicyviolation_event
  • MDN URL: https://developer.mozilla.org/en-US/docs/Web/API/Element/securitypolicyviolation_event
  • Report started: 2022-03-06T06:51:37.468Z

OnkarRuikar avatar Mar 06 '22 07:03 OnkarRuikar

I'm curious about this, too.

Is this deprecation notice accurate, or just a simple mistake?

ryanpetrello avatar Aug 31 '22 21:08 ryanpetrello

@ryanpetrello similar discussion has happened here https://github.com/mdn/content/pull/19307#issuecomment-1217445092 .

Depending on the answer from https://github.com/mdn/content/pull/19307#issuecomment-1217463068, I'll close or fix this issue.

cc/ @teoli2003

OnkarRuikar avatar Sep 01 '22 07:09 OnkarRuikar

TL;DR: The deprecated flag should be removed from the BCD and MDN.

The securitypolicyviolation event is not deprecated. It is still in the relevant specs, and there haven't been any discussion about this in https://github.com/w3c/webappsec-csp/issues

It's still marked as deprecated at https://github.com/mdn/browser-compat-data/blob/0d681c628f9416c29d62cf3bb3b2c5fb7af02c89/api/Element.json#L8108 and https://github.com/mdn/browser-compat-data/blob/0d681c628f9416c29d62cf3bb3b2c5fb7af02c89/api/WorkerGlobalScope.json#L488 and https://developer.mozilla.org/en-US/docs/Web/API/Element/securitypolicyviolation_event

However these events are not deprecated. Here is a WPT that verifies that the event is fired for workers (to self instead of document): https://github.com/web-platform-tests/wpt/pull/30925

I just tested, and the "securitypolicyviolation" event itself (on an element, e.g. added via addEventListener or the document.body.onsecuritypolicyviolation member) IS dispatched, consistent with how the feature is documented. Here is a comment from 1 year ago that shows that the event works as expected: https://bugzilla.mozilla.org/show_bug.cgi?id=1727302#c5. Well, understandably the CSP violation is not reported for previous violations, but when the CSP violation is triggered after adding the event listener, it is fired. The documentation for that was handled in https://github.com/mdn/content/issues/8614

Rob--W avatar Oct 24 '22 13:10 Rob--W

Ping @hamishwillee , @teoli2003. Waiting on https://github.com/mdn/content/pull/19307#issuecomment-1217463068.

OnkarRuikar avatar Oct 25 '22 05:10 OnkarRuikar

I have now responded. I have no recollection of anything that should have made this deprecated, so I think it was a copy paste error.

hamishwillee avatar Oct 25 '22 05:10 hamishwillee

Let's get rid of it, then. @OnkarRuikar, do you want to create the PR here? (The sync script will port this back to MDN later this week)

teoli2003 avatar Oct 25 '22 06:10 teoli2003