- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Thu, 07 Apr 2011 08:50:42 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: Bil Corry <bil@corry.biz>, Collin Jackson <collin.jackson@sv.cmu.edu>, gaz Heyes <gazheyes@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 04/07/2011 12:05 AM, Adam Barth wrote: > On Thu, Apr 7, 2011 at 12:00 AM, Bil Corry <bil@corry.biz> wrote: >> One use case to consider: I want to allow only HTTPS stylesheets, and allow >> inline styles specifically for framebusting: >> >> https://www.codemagi.com/blog/post/194 > > Sure, but that would work if there was an "allow-inline-style" option > (or if you could use the frame-ancestors directive). > > Adam So, it's obvious there are use cases for enabling inline style. I'm not super compelled by the case for blocking inline style other than consistency, which I agree is nice to have. Locking down all CSS to external stylesheets might be desirable for a high assurance web site. I suppose we're talking about an aesthetic decision we have to make. Do people prefer to: 1. disable inline style by default and enable it with extra policy? 2. leave inline style intact There's also enabling inline style by default and disabling it with extra policy, but that's even less consistent than 2. /shrug/ I personally prefer 2, mostly because I place a premium on sites being able to write simple policies in the majority of cases. I believe (hope?) the common case for CSP will be a site that uses inline style but blocks inline script. I'm not religiously opposed to 1, though. -Brandon
Received on Thursday, 7 April 2011 15:48:05 UTC