W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Holiday changes to the CSP 1.1 editor's draft.

From: Mike West <mkwst@google.com>
Date: Mon, 17 Feb 2014 10:13:09 +0100
Message-ID: <CAKXHy=cTEjpgOr+BHCzNJhjHb4wOZpc-oHSO9JQO-WRFQxxe5Q@mail.gmail.com>
To: Ian Melven <ian.melven@gmail.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 16, 2014 at 11:21 AM, Mike West <mkwst@google.com> wrote:

> I'd suggest the following: I'll implement the CSSOM change behind the flag
> in Blink, turn it on locally, and browsing around on Facebook and Github.
> If they break, I'll email folks to see if they can easily add 'unsafe-eval'
> to their `script-src` directives.

I added this change to Blink a week or three ago. It broke quite a bit more
than I expected. As it turns out, jQuery relies on 'cssText' for a number
of internal checks and some functionality.

GitHub added 'unsafe-eval' quickly, but it looks like we'll end up in a
situation where 'unsafe-eval' is whitelisted by everyone who sets a
'style-src' directive. I'm not sure this is a change we should make; I've
reverted the functionality from Blink so that I'm not breaking chunks of
the web for folks who have the "Experimental Web Platform Features" flag

Received on Monday, 17 February 2014 09:14:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC