- From: matmarquis.com <mat@matmarquis.com>
- Date: Fri, 15 Nov 2013 13:25:20 -0500
- To: Yoav Weiss <yoav@yoav.ws>
- Cc: Markus Ernst <derernst@gmx.ch>, "Tab Atkins Jr." <jackalmage@gmail.com>, Ryosuke Niwa <rniwa@apple.com>, whatwg <whatwg@lists.whatwg.org>, Markus Lanthaler <markus.lanthaler@gmx.net>, "Jukka K. Korpela" <jkorpela@cs.tut.fi>, Adam Barth <w3c@adambarth.com>
On Nov 15, at 12:27 PM, Yoav Weiss wrote: >>> >>> Any thoughts on my concerns with making inline CSS mandatory (especially >>> from the CSP angle)? >> >> CSP 1.1 supports securing inline style and script with nonces and/or >> hashes. >> >> > OK, since the latest proposals keep the URLs outside the style, modifying > the content image can keep the same style, assuming layout is identical. So > these inline-style are not more likely to change than any other > inline-styles and the authoring complexity is identical to other inline > styles. > > Still - I'm not sure such a solution is author friendly. I’m just not sure what this proposal claims to handle or support that `src-n` doesn’t, apart from handling it with a slightly different syntax that’s subjectively preferred by a few people? Seems like it depends on a number of fairly large assumptions, but doesn’t really bring anything new to the table.
Received on Friday, 15 November 2013 18:21:36 UTC