- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Fri, 2 Dec 2016 11:47:34 -0500
- To: whatwg@lists.whatwg.org
On 12/2/16 11:34 AM, Michael A. Peters wrote: > It seems that CSP behavior has radically changed since the last time I > looked at it I can't speak to when you last looked at it, but the current state shipping in browsers is, as far as I know, no different from what browsers shipped initially for purposes of this discussion. > At least historically, the on* attributes were not allowed, the style > attributes were not allowed, and any script nodes in the body were not > allowed. If you specify script-src and style-src and don't include 'unsafe-inline', sure. > If CSP now allows them by default then I am not very happy about that CSP allows the things you don't issue directives for. If you don't issue any script-src directives (or default-src directives), then there won't be any limitations on scripts. -Boris
Received on Friday, 2 December 2016 16:48:14 UTC