- From: Giorgio Maone via GitHub <sysbot+gh@w3.org>
- Date: Tue, 28 Mar 2023 09:25:50 +0000
- To: public-css-archive@w3.org
hackademix has just created a new issue for https://github.com/w3c/csswg-drafts: == [mediaqueries][mediaqueries-5] Account for CSP restrictions in the scripting feature == Regarding the [@media scripting features, value `none`](https://www.w3.org/TR/mediaqueries-5/#valdef-media-scripting-none), the current specification reads: > [...]the value of the scripting media feature should be [enabled](https://www.w3.org/TR/mediaqueries-5/#valdef-media-scripting-enabled) or [initial-only](https://www.w3.org/TR/mediaqueries-5/#valdef-media-scripting-initial-only) if scripts originating on the same domain as the document are allowed to run, and [none](https://www.w3.org/TR/mediaqueries-5/#valdef-media-scripting-none) otherwise. Security and privacy browser extensions such NoScript, uBlock Origin or uMatrix currently use CSP directives (typically `script-src` and `script-src-elem`) to turn off JavaScript on certain sites of users' choice, and use DOM manipulation to display the content of `<noscript>` elements (which are not affected by CSP) and provide users with the authors' intended feedback. Of course the JavaScript-toggled CSS classes approach works out of the box. It would be great if this new feature took in account CSP disabling script execution on the document, making explicit that the value should be `none` for that case. Otherwise the aforementioned tools would need to scan all the CSS rules applied to the page and manipulate them to force those matching `scripting none`, which would a ugly, inefficient hack. Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/8653 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 28 March 2023 09:25:51 UTC