[CSP] ‘unsafe-hashed-attributes’, ‘unsafe-inline-attributes’ and CSP directive versioning

Hello folks at webappsec,

The CSP 'unsafe-hashed-attributes' keyword proposal has traditionally had
quite a bit of controversy and discussion and I would like to try to
channel all of these discussions and opinions towards some end decision of
some sort.

'unsafe-inline-attribute' has also had some discussion and has recently
resurfaced in light of some CSS-based keylogger attacks. Seeing that it is
quite similar to 'unsafe-hashed-attributes' I think they're worth
discussing together.

CSP directive versioning follows logically from the two above so I have
also bundled it up in the explainer below:


I would like to hear all of your thoughts and opinions on this as I believe
there is real benefit in adding these features.

Andy Paicu

Received on Thursday, 5 April 2018 12:51:09 UTC