- From: Ben Toews <btoews@github.com>
- Date: Mon, 17 Feb 2014 12:31:33 -0600
- To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <ACA31501D5A441BFBBF8594A0FC786D3@github.com>
Mike, Thanks for addressing this in Blink. We just removed unsafe-eval from our style-src. We hadn’t been planning on locking down our style-src too tightly to begin with. Adding unsafe-eval wasn’t a huge concern and we can add it back if we need to. We are a bit unclear though on what this was intended to protect against. It seems that none of the browsers that support CSP have any of the old JavaScript-in-CSS problems. Was this source just giving control for the sake of giving control, or are we missing something? Thanks! -- Ben Toews On Monday, February 17, 2014 at 3:13 AM, Mike West wrote: > On Thu, Jan 16, 2014 at 11:21 AM, Mike West <mkwst@google.com (mailto:mkwst@google.com)> wrote: > > I'd suggest the following: I'll implement the CSSOM change behind the flag in Blink, turn it on locally, and browsing around on Facebook and Github. If they break, I'll email folks to see if they can easily add 'unsafe-eval' to their `script-src` directives. > > I added this change to Blink a week or three ago. It broke quite a bit more than I expected. As it turns out, jQuery relies on 'cssText' for a number of internal checks and some functionality. > > GitHub added 'unsafe-eval' quickly, but it looks like we'll end up in a situation where 'unsafe-eval' is whitelisted by everyone who sets a 'style-src' directive. I'm not sure this is a change we should make; I've reverted the functionality from Blink so that I'm not breaking chunks of the web for folks who have the "Experimental Web Platform Features" flag flipped. > > -mike > > > > > >
Received on Monday, 17 February 2014 18:32:07 UTC