It can't be the case that this is completely broken can it? I mean, am I missing something?
It's similar to how you can use hashes for <script> blocks but not for event handlers (onclick, etc.)
-
-
ah ok, so this isn't going to work then looking at my use case?
-
Odd that Chrome still provides a hash though and that they don't match up even when the same :-D
-
Yeah, I updated your bug to address that. The error msg definitely sucks and we should fix it.
End of conversation
New conversation -
-
-
@mikewest I thought that was added in CSP3? Am I mistaken? -
CSP3 has 'unsafe-hashed-attributes' for this, but I expect
@mikewest will take it out b/c of backcompat issues -
oh, what's the prob?
-
If you use style= or onclick= and set 'u-h-a' to allow them, this will break in UAs without 'u-h-a'
-
Because they will see a hash and ignore 'unsafe-inline', so they will reject these attributes.
-
so there will be no way to enable style="" if I want to use a nonce or a hash?
-
The current proposal has problems so it depends on whether Mike finds a way to fix them. Maybe? :)
-
FWIW in our apps we don't restrict style-src. Sec risk of inline styles is much less than of scripts
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
