On Fri, Dec 13, 2013 at 4:47 PM, Dionysis Zindros <dionyziz@gmail.com>wrote: > The current spec is explicit about allowing nonces and hashes for only > inline script use The current spec mentions hashes and nonce in the style-src section, but in the Valid Hashes section, https://dvcs.w3.org/hg/content-security-policy/raw-file/8db37e53da82/csp-specification.dev.html#valid-hashesit only mentions script. I would expect them to work in style-src as well as script-src does the valid-hashes section need to be updated or is the style-src section wrong? Also wouldn't it be possible in theory to solve Dev's problem by allowing hashes of inline event handers? This could also potentially help ease adoption in legacy applications. I don't know what kind of challenges that would present for the browser vendors to implement, obviously not anything I would want holding up CSP1.1. -- Pete Freitag http://foundeo.com http://content-security-policy.com/ - CSP Quick Reference
Received on Monday, 16 December 2013 18:29:24 UTC