W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: unsafe-inline for style-src

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 19 Sep 2012 21:08:25 -0400
Message-ID: <505A6C89.6010409@mit.edu>
To: public-webappsec@w3.org
On 9/19/12 4:19 PM, Adam Barth wrote:
> On Tue, Sep 18, 2012 at 5:12 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> On 9/18/12 6:40 PM, Mike West wrote:
>>>> * doc.body.setAttribute("style", "...");
>> ...
>>>> * doc.body.style.background = "...";
>>
>> There is no functional different between those two.  Especially not if you
>> actually consider:
>>
>>    doc.body.style.cssText = "....";
>
> There isn't a functional difference, but there is a semantic
> difference.  One is manipulating the DOM style attribute (which then
> gets reflected in the styles themselves).  The other is manipulating
> the styles themselves (which then gets reflected into the DOM style
> attribute).

Yes, but in which case is this semantic difference something someone 
writing a CSP would care about, given that the resulting functionality 
is identical?

-Boris
Received on Thursday, 20 September 2012 01:08:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 01:08:54 GMT