- From: Michael A. Peters <mpeters@domblogger.net>
- Date: Fri, 2 Dec 2016 09:07:54 -0800
- To: whatwg@lists.whatwg.org
On 12/02/2016 08:47 AM, Boris Zbarsky wrote: > On 12/2/16 11:34 AM, Michael A. Peters wrote: >> It seems that CSP behavior has radically changed since the last time I >> looked at it > > I can't speak to when you last looked at it, but the current state > shipping in browsers is, as far as I know, no different from what > browsers shipped initially for purposes of this discussion. > >> At least historically, the on* attributes were not allowed, the style >> attributes were not allowed, and any script nodes in the body were not >> allowed. > > If you specify script-src and style-src and don't include > 'unsafe-inline', sure. > >> If CSP now allows them by default then I am not very happy about that > > CSP allows the things you don't issue directives for. If you don't > issue any script-src directives (or default-src directives), then there > won't be any limitations on scripts. > > -Boris Last time I read the specification, unsafe-inline didn't exist. Last time I glanced at the site, unsafe-inline existed but was not supported by all browsers and required a declared hash to work.
Received on Friday, 2 December 2016 17:08:28 UTC