- From: Tim Kadlec <tim@timkadlec.com>
- Date: Fri, 15 Nov 2013 12:32:40 -0600
- To: Adam Barth <w3c@adambarth.com>
- Cc: Markus Ernst <derernst@gmx.ch>, Yoav Weiss <yoav@yoav.ws>, "Tab Atkins Jr." <jackalmage@gmail.com>, Ryosuke Niwa <rniwa@apple.com>, whatwg <whatwg@lists.whatwg.org>, "Jukka K. Korpela" <jkorpela@cs.tut.fi>, "matmarquis.com" <mat@matmarquis.com>, Markus Lanthaler <markus.lanthaler@gmx.net>
To my knowledge the only implementor who flat-out refused to implement src-N was WebKit. There is interest from Mozilla and Blink, though it did sound like Blink was considering playing follow the leader. Take care, Tim Kadlec On Fri, Nov 15, 2013 at 12:25 PM, Adam Barth <w3c@adambarth.com> wrote: > On Fri, Nov 15, 2013 at 10:25 AM, matmarquis.com <mat@matmarquis.com> > wrote: > > On Nov 15, at 12:27 PM, Yoav Weiss wrote: > >>>> Any thoughts on my concerns with making inline CSS mandatory > (especially > >>>> from the CSP angle)? > >>> > >>> CSP 1.1 supports securing inline style and script with nonces and/or > >>> hashes. > >> > >> OK, since the latest proposals keep the URLs outside the style, > modifying > >> the content image can keep the same style, assuming layout is > identical. So > >> these inline-style are not more likely to change than any other > >> inline-styles and the authoring complexity is identical to other inline > >> styles. > >> > >> Still - I'm not sure such a solution is author friendly. > > > > I’m just not sure what this proposal claims to handle or support that > `src-n` doesn’t, apart from handling it with a slightly different syntax > that’s subjectively preferred by a few people? Seems like it depends on a > number of fairly large assumptions, but doesn’t really bring anything new > to the table. > > The primary benefit of this proposal over src-N is that implementors > are willing to implement it (or at least haven't refused to implement > it yet). > > Adam >
Received on Friday, 15 November 2013 18:33:04 UTC