W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Re: CSP and inline styles

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 28 Dec 2012 09:53:25 -0800
Message-ID: <50DDDC95.9050603@mit.edu>
To: public-webappsec@w3.org
On 12/28/12 5:58 AM, Yoav Weiss wrote:
> Furthermore, with the recent addition of `@viewport` to CSS, banning
> inline styles would prevent the HTMLPreloadScanner/Speculative-parser
> from evaluating media queries, since viewport modifications may be
> applied in external CSS that is loaded and parsed *after* the
> HTMLPreloadScanner have run.

This is true no matter whether inline styles are banned, since even if 
they're allowed the page can _still_ put @viewport in an external 
stylesheet, no?

> I have shown (at part of the RICG’s `picture` element prototyping[4])
> that MQ evaluation in the PreloadScanner can work

For what it's worth, it can only work at the cost of deoptimizing other 
parts of pageload (e.g. by requiring a layout to determine viewport size 
much earlier than it would be needed otherwise).

-Boris
Received on Friday, 28 December 2012 17:54:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 December 2012 17:54:05 GMT