BrowserUrl::parse("<style>") was silently succeeding by treating the
sentinel string as a relative file path, producing file:///cwd/%3Cstyle%3E.
Font URLs in inline @font-face rules then resolved against this file://
base instead of the page's actual HTTP(S) URL.
Three fixes applied:
- Pass page base URL as source for inline <style> stylesheets instead of
the "<style>" sentinel string
- Add defense-in-depth filter in font loading to reject file:// stylesheet
bases when the page is HTTP(S)
- Restrict BrowserUrl::parse file path fallback to only trigger for inputs
that look like actual paths (starting with /, ./, or ../)
Updates CNN investigation report: F-009 (font loading) and F-011
(duplicate badge painting) marked as fixed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2bf02fb306