W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2018

[CSP] ‘unsafe-hashed-attributes’, ‘unsafe-inline-attributes’ and CSP directive versioning

From: Andy Paicu <andypaicu@chromium.org>
Date: Thu, 05 Apr 2018 12:50:27 +0000
Message-ID: <CALTCLq638QUuQ1yHHdoAVjeVhdRhOGuf7EtNW5cGsw+cHreq1w@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hello folks at webappsec,

The CSP 'unsafe-hashed-attributes' keyword proposal has traditionally had
quite a bit of controversy and discussion and I would like to try to
channel all of these discussions and opinions towards some end decision of
some sort.

'unsafe-inline-attribute' has also had some discussion and has recently
resurfaced in light of some CSS-based keylogger attacks. Seeing that it is
quite similar to 'unsafe-hashed-attributes' I think they're worth
discussing together.

CSP directive versioning follows logically from the two above so I have
also bundled it up in the explainer below:

https://docs.google.com/document/d/1_nYS4gWYO2Oh8rYDyPglXIKNsgCRVhmjHqWlTAHst7c/edit?usp=sharing

I would like to hear all of your thoughts and opinions on this as I believe
there is real benefit in adding these features.

Regads,
Andy Paicu
Received on Thursday, 5 April 2018 12:51:09 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 5 April 2018 12:51:10 UTC