On Thu, Jan 16, 2014 at 11:21 AM, Mike West <mkwst@google.com> wrote:
> I'd suggest the following: I'll implement the CSSOM change behind the flag
> in Blink, turn it on locally, and browsing around on Facebook and Github.
> If they break, I'll email folks to see if they can easily add 'unsafe-eval'
> to their `script-src` directives.
>
I added this change to Blink a week or three ago. It broke quite a bit more
than I expected. As it turns out, jQuery relies on 'cssText' for a number
of internal checks and some functionality.
GitHub added 'unsafe-eval' quickly, but it looks like we'll end up in a
situation where 'unsafe-eval' is whitelisted by everyone who sets a
'style-src' directive. I'm not sure this is a change we should make; I've
reverted the functionality from Blink so that I'm not breaking chunks of
the web for folks who have the "Experimental Web Platform Features" flag
flipped.
-mike