On Wed, Sep 19, 2012 at 6:08 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 9/19/12 4:19 PM, Adam Barth wrote: >> On Tue, Sep 18, 2012 at 5:12 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: >>> On 9/18/12 6:40 PM, Mike West wrote: >>>>> >>>>> * doc.body.setAttribute("style", "..."); >>> ... >>>>> >>>>> * doc.body.style.background = "..."; >>> >>> There is no functional different between those two. Especially not if >>> you >>> actually consider: >>> >>> doc.body.style.cssText = "...."; >> >> There isn't a functional difference, but there is a semantic >> difference. One is manipulating the DOM style attribute (which then >> gets reflected in the styles themselves). The other is manipulating >> the styles themselves (which then gets reflected into the DOM style >> attribute). > > Yes, but in which case is this semantic difference something someone writing > a CSP would care about, given that the resulting functionality is identical? I should say that I don't really have a strong opinion here. If there's another semantics that you prefer strongly, I'm certainly open to that. For authors, we should strive for the conceptually clearest semantics. The concept I was going for was "don't use the style element or attribute." Maybe it's clearer to include the CSSOM as well? There isn't really a security benefit to blocking the CSSOM, so it seemed simpler to allow it. AdamReceived on Thursday, 20 September 2012 01:21:59 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 01:22:00 GMT