Re: [w3ctag/design-reviews] TAG review request of the CSP feature 'unsafe-hashes' (#291) from Alex Russell on 2018-07-17 (public-webapps-github@w3.org from July 2018)

From: Alex Russell <notifications@github.com>
Date: Tue, 17 Jul 2018 08:50:15 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/291/405631626@github.com>

Hey @andypaicu; thank you so much for the detailed explainer!

I have a pretty dumb question: in the examples provided, *what* is being hashed? Is it the text of the attribute value (e.g., `performTransaction()`), the full source of the attribute (`onclick=”performTransaction()”`), the full text of the element's `outerHTML` (<a onclick=”performTransaction()”/>`), or the source of the script which lexically resolves the current value of `window.performTransaction`?

Wasn't able to quickly understand the behavior based on the definition of [`source-lists`](https://w3c.github.io/webappsec-csp/#source-lists).

Thanks in advance.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/291#issuecomment-405631626

Received on Tuesday, 17 July 2018 15:50:39 UTC