- From: Travis Leithead <notifications@github.com>
- Date: Mon, 10 Sep 2018 13:38:51 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 10 September 2018 20:39:13 UTC
Just want to confirm: as far as I can tell, *unsafe-hashes* directives mean that the user agent must now start hashing all event handler's text it encounters before attempting to execute them to see if the hash matches the directive. I suppose that's not too bad from a performance angle since modern parsers and the spec say to defer processing of event handlers until such time as the UA might need to dispatch said event. At that time, the UA would ordinarily process the inline handler's text (send it to the JS engine in order to get an executable handler and/or throw an error), and this new feature adds a hash computation to the process. I don't suppose there's any way for the developer to flag which elements are potentially allowed by the directive, e.g., by using the `integrity` attribute? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/291#issuecomment-420052677
Received on Monday, 10 September 2018 20:39:13 UTC