- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 15 Nov 2013 10:25:28 -0800
- To: "matmarquis.com" <mat@matmarquis.com>
- Cc: Markus Ernst <derernst@gmx.ch>, Yoav Weiss <yoav@yoav.ws>, "Tab Atkins Jr." <jackalmage@gmail.com>, Ryosuke Niwa <rniwa@apple.com>, whatwg <whatwg@lists.whatwg.org>, "Jukka K. Korpela" <jkorpela@cs.tut.fi>, Markus Lanthaler <markus.lanthaler@gmx.net>
On Fri, Nov 15, 2013 at 10:25 AM, matmarquis.com <mat@matmarquis.com> wrote: > On Nov 15, at 12:27 PM, Yoav Weiss wrote: >>>> Any thoughts on my concerns with making inline CSS mandatory (especially >>>> from the CSP angle)? >>> >>> CSP 1.1 supports securing inline style and script with nonces and/or >>> hashes. >> >> OK, since the latest proposals keep the URLs outside the style, modifying >> the content image can keep the same style, assuming layout is identical. So >> these inline-style are not more likely to change than any other >> inline-styles and the authoring complexity is identical to other inline >> styles. >> >> Still - I'm not sure such a solution is author friendly. > > I’m just not sure what this proposal claims to handle or support that `src-n` doesn’t, apart from handling it with a slightly different syntax that’s subjectively preferred by a few people? Seems like it depends on a number of fairly large assumptions, but doesn’t really bring anything new to the table. The primary benefit of this proposal over src-N is that implementors are willing to implement it (or at least haven't refused to implement it yet). Adam
Received on Friday, 15 November 2013 18:26:29 UTC