Re: Holiday changes to the CSP 1.1 editor's draft. from Mike West on 2014-02-17 (public-webappsec@w3.org from February 2014)

From: Mike West <mkwst@google.com>
Date: Mon, 17 Feb 2014 10:13:09 +0100
To: Ian Melven <ian.melven@gmail.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=cTEjpgOr+BHCzNJhjHb4wOZpc-oHSO9JQO-WRFQxxe5Q@mail.gmail.com>

On Thu, Jan 16, 2014 at 11:21 AM, Mike West <mkwst@google.com> wrote:

> I'd suggest the following: I'll implement the CSSOM change behind the flag
> in Blink, turn it on locally, and browsing around on Facebook and Github.
> If they break, I'll email folks to see if they can easily add 'unsafe-eval'
> to their `script-src` directives.
>

I added this change to Blink a week or three ago. It broke quite a bit more
than I expected. As it turns out, jQuery relies on 'cssText' for a number
of internal checks and some functionality.

GitHub added 'unsafe-eval' quickly, but it looks like we'll end up in a
situation where 'unsafe-eval' is whitelisted by everyone who sets a
'style-src' directive. I'm not sure this is a change we should make; I've
reverted the functionality from Blink so that I'm not breaking chunks of
the web for folks who have the "Experimental Web Platform Features" flag
flipped.

-mike

Received on Monday, 17 February 2014 09:14:01 UTC