Le 19/03/2012 23:25, Adam Barth a écrit : > On Mon, Mar 19, 2012 at 2:48 PM, sec_ext<sec_ext@fb.com> wrote: >> In the CSP specification, it states "authors should not include >> 'unsafe-inline' in their CSP policies if they wish to protect themselves >> against XSS." >> >> It is not entirely clear how allowing inline CSS ('style-src >> 'unsafe-inline';) can lead to XSS if you are blocking inline and external >> JS (script-src none;) >> >> Will 'script-src none' not block JS attempts in CSS? > CSP forbids any JavaScript from being included in CSS, regardless of > what policy you use. Sorry to ask if the question is stupid, but how do you include JavaScript in CSS? I've never heard of such a thing being possible. DavidReceived on Tuesday, 20 March 2012 10:03:45 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 20 March 2012 10:03:47 GMT