Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

On Fri, Dec 2, 2016 at 9:07 AM, Michael A. Peters
<mpeters@domblogger.net> wrote:
> On 12/02/2016 08:47 AM, Boris Zbarsky wrote:
>>
>> On 12/2/16 11:34 AM, Michael A. Peters wrote:
>>>
>>> It seems that CSP behavior has radically changed since the last time I
>>> looked at it
>>
>>
>> I can't speak to when you last looked at it, but the current state
>> shipping in browsers is, as far as I know, no different from what
>> browsers shipped initially for purposes of this discussion.
>>
>>> At least historically, the on* attributes were not allowed, the style
>>> attributes were not allowed, and any script nodes in the body were not
>>> allowed.
>>
>>
>> If you specify script-src and style-src and don't include
>> 'unsafe-inline', sure.
>>
>>> If CSP now allows them by default then I am not very happy about that
>>
>>
>> CSP allows the things you don't issue directives for.  If you don't
>> issue any script-src directives (or default-src directives), then there
>> won't be any limitations on scripts.
>>
>> -Boris
>
>
> Last time I read the specification, unsafe-inline didn't exist. Last time I
> glanced at the site, unsafe-inline existed but was not supported by all
> browsers and required a declared hash to work.

I have been using unsafe-inline on both style and script directives in
the CSP live on my site tantek.com (home page, permalinks) for over a
year.

I have seen no problems with Firefox / Chrome / Safari, and have not
gotten any reports of problems from Edge users either.

I documented the CSP directive I'm using here: https://indieweb.org/CSP#Tantek

If you know of any specific browsers where it is "not supported", let
me know, because I have received zero such reports.

Thanks,

Tantek

Received on Thursday, 8 December 2016 19:50:28 UTC