Re: [w3ctag/design-reviews] TAG review request of the CSP feature 'unsafe-hashes' (#291) from andypaicu on 2018-09-12 (public-webapps-github@w3.org from September 2018)

From: andypaicu <notifications@github.com>
Date: Wed, 12 Sep 2018 02:39:22 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/291/420581426@github.com>

User agents can optimize this process by not computing hashes for event handlers if `unsafe-hashes` is not present.

If `unsafe-hashes` is present the hashing will have to be done on all elements as there is no other *sane* mechanism for allowing event handlers (by sane I mean not things like `unsafe-inline` which basically provides to defense at all). So if there was for example a check for the `integrity` attribute value, developers using `unsafe-hashes` would basically put it on all of their elements that have event handlers, otherwise those event handlers would not run.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/291#issuecomment-420581426

Received on Wednesday, 12 September 2018 09:39:44 UTC