Re: unsafe-inline for style-src

On 9/19/12 4:19 PM, Adam Barth wrote:
> On Tue, Sep 18, 2012 at 5:12 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> On 9/18/12 6:40 PM, Mike West wrote:
>>>> * doc.body.setAttribute("style", "...");
>> ...
>>>> * doc.body.style.background = "...";
>>
>> There is no functional different between those two.  Especially not if you
>> actually consider:
>>
>>    doc.body.style.cssText = "....";
>
> There isn't a functional difference, but there is a semantic
> difference.  One is manipulating the DOM style attribute (which then
> gets reflected in the styles themselves).  The other is manipulating
> the styles themselves (which then gets reflected into the DOM style
> attribute).

Yes, but in which case is this semantic difference something someone 
writing a CSP would care about, given that the resulting functionality 
is identical?

-Boris

Received on Thursday, 20 September 2012 01:08:54 UTC