Open
Description
Consider this testcase:
<!DOCTYPE html>
<link rel="stylesheet" href="http://example.com"
onload="alert('success')" onerror="alert('fail')">
In this case, the sheet is never applied, since this is a cross-site load and the returned type is not text/css. Browser behavior is as follows (the "loaded over" refers to the original page; the sheet is always being loaded over http):
- Chrome, loaded over http: alerts success
- Chrome, loaded over https: alerts fail
- Safari, loaded over http: alerts success
- Safari, loaded over https: alerts success
- Edge, loaded over http: alerts success
- Edge, loaded over https: no alert at all
- Firefox, loaded over http: alerts fail
- Firefox, loaded over https: alerts fail
Now consider a similar testcase:
<!DOCTYPE html>
<link rel="stylesheet" href="data:text/css,@import url('http://example.com')"
onload="alert('success')" onerror="alert('fail')">
Now the behavior is:
- Chrome, loaded over http: alerts success
- Chrome, loaded over https: alerts fail
- Safari, loaded over http: alerts success
- Safari, loaded over https: alerts success
- Edge, loaded over http: alerts success
- Edge, loaded over https: alerts success
- Firefox, loaded over http: alerts fail
- Firefox, loaded over https: alerts success
This is clearly broken... ;)