hashes were a pretty big part of CSP 2. Are so few people using it that no one noticed this?! 
CSP3 has 'unsafe-hashed-attributes' for this, but I expect @mikewest will take it out b/c of backcompat issues
-
-
oh, what's the prob?
-
If you use style= or onclick= and set 'u-h-a' to allow them, this will break in UAs without 'u-h-a'
-
Because they will see a hash and ignore 'unsafe-inline', so they will reject these attributes.
-
so there will be no way to enable style="" if I want to use a nonce or a hash?
-
The current proposal has problems so it depends on whether Mike finds a way to fix them. Maybe? :)
-
FWIW in our apps we don't restrict style-src. Sec risk of inline styles is much less than of scripts
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.