W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: CSP advocacy group??

From: Michael A. Peters <mpeters@domblogger.net>
Date: Tue, 18 Oct 2011 18:09:43 -0700
Message-ID: <4E9E2357.3030600@domblogger.net>
To: public-web-security@w3.org
Brandon Sterne wrote:
> Leaving aside the question about an advocacy group for CSP, I don't see
> why the use case you listed can't be supported under CSP.  You can allow
> the inline style block, with small risk to the application, by adding
> "style-src 'unsafe-inline'" to the policy. Also, since the
> no-inline-script restriction only applies to the top-level document, an
> iframe that contains inline script can be enabled simply by adding the
> iframe's hostname to the frame-src directive.
> 

I'm not that font of the 'unsafe-inline' directive as there is no way
for a web browser to differentiate between injected script/style and
what is legitimate. Using external CSS/Script and forbidding inline
makes it for browsers to differentiate.

With respect to the iframe, I was under the impression the iframe had to
minimally conform to the same policy as it's parent document. I guess I
am wrong there, though that is how I would think it should be.
Received on Wednesday, 19 October 2011 01:10:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 19 October 2011 01:10:22 GMT