Re: unsafe-inline for style-src

On 9/19/12 9:21 PM, Adam Barth wrote:
> I should say that I don't really have a strong opinion here.  If
> there's another semantics that you prefer strongly, I'm certainly open
> to that.
>
> For authors, we should strive for the conceptually clearest semantics.
>   The concept I was going for was "don't use the style element or
> attribute."  Maybe it's clearer to include the CSSOM as well?  There
> isn't really a security benefit to blocking the CSSOM, so it seemed
> simpler to allow it.

Is there security benefit to blocking the style attribute?  Or is the 
real security benefit to blocking the style element and the attribute 
just came along for semantic clarity?

 From my point of view, for what it's worth, the semantics that make 
sense are "do not apply inline styles or styles from <style> elements". 
  The former would cover inline styles no matter how you set them, 
basically.

-Boris

Received on Thursday, 20 September 2012 02:39:48 UTC