W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP and inline styles

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 23 Oct 2012 14:29:46 -0700
Message-ID: <CAJE5ia-Ew2Ntg4Ld1LDiUoR1eOj95nuBSKtXbyP=aZ+3Ss2rJg@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: public-webappsec@w3.org
On Tue, Oct 23, 2012 at 2:16 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Oh, one more thing.  This came up earlier in this thread:
>
>> For cross-origin CSS loads, browsers now require either that (1) the
>> style sheet has the proper MIME type or (2) the style sheet parses
>> without errors.  In an ideal world, we'd require (1) all the time,
>> but adding (2) was necessary to make the change compatible with the
>> web. We can check with Chris, but my understanding is that every
>> browser does this now, including IE.
>
> Gecko does (1), period.  See
> https://bugzilla.mozilla.org/show_bug.cgi?id=524223#c26 and in general the
> discussion in that bug for why.
>
> We have not had a single compatibility problem reported about this that I
> know of in the 2+ years since we started shipping that behavior.
>
> So I think we can in fact require (1) all the time if we want to.

That's great.  I'll see if we can do the same in WebKit as well.

Adam
Received on Tuesday, 23 October 2012 21:30:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 23 October 2012 21:30:46 GMT