W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP and inline styles

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 23 Oct 2012 17:16:47 -0400
Message-ID: <5087093F.8000100@mit.edu>
To: public-webappsec@w3.org
Oh, one more thing.  This came up earlier in this thread:

 > For cross-origin CSS loads, browsers now require either that (1) the
 > style sheet has the proper MIME type or (2) the style sheet parses
 > without errors.  In an ideal world, we'd require (1) all the time,
 > but adding (2) was necessary to make the change compatible with the
 > web. We can check with Chris, but my understanding is that every
 > browser does this now, including IE.

Gecko does (1), period.  See 
https://bugzilla.mozilla.org/show_bug.cgi?id=524223#c26 and in general 
the discussion in that bug for why.

We have not had a single compatibility problem reported about this that 
I know of in the 2+ years since we started shipping that behavior.

So I think we can in fact require (1) all the time if we want to.

-Boris
Received on Tuesday, 23 October 2012 21:17:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 23 October 2012 21:17:16 GMT