- From: Michael A. Peters <mpeters@domblogger.net>
- Date: Tue, 18 Oct 2011 18:09:43 -0700
- To: public-web-security@w3.org
Brandon Sterne wrote: > Leaving aside the question about an advocacy group for CSP, I don't see > why the use case you listed can't be supported under CSP. You can allow > the inline style block, with small risk to the application, by adding > "style-src 'unsafe-inline'" to the policy. Also, since the > no-inline-script restriction only applies to the top-level document, an > iframe that contains inline script can be enabled simply by adding the > iframe's hostname to the frame-src directive. > I'm not that font of the 'unsafe-inline' directive as there is no way for a web browser to differentiate between injected script/style and what is legitimate. Using external CSS/Script and forbidding inline makes it for browsers to differentiate. With respect to the iframe, I was under the impression the iframe had to minimally conform to the same policy as it's parent document. I guess I am wrong there, though that is how I would think it should be.
Received on Wednesday, 19 October 2011 01:10:22 UTC