Re: CSP advocacy group??

Brandon Sterne wrote:
> Leaving aside the question about an advocacy group for CSP, I don't see
> why the use case you listed can't be supported under CSP.  You can allow
> the inline style block, with small risk to the application, by adding
> "style-src 'unsafe-inline'" to the policy. Also, since the
> no-inline-script restriction only applies to the top-level document, an
> iframe that contains inline script can be enabled simply by adding the
> iframe's hostname to the frame-src directive.
> 

I'm not that font of the 'unsafe-inline' directive as there is no way
for a web browser to differentiate between injected script/style and
what is legitimate. Using external CSS/Script and forbidding inline
makes it for browsers to differentiate.

With respect to the iframe, I was under the impression the iframe had to
minimally conform to the same policy as it's parent document. I guess I
am wrong there, though that is how I would think it should be.

Received on Wednesday, 19 October 2011 01:10:22 UTC