dammit I meant "styles"
If you use style= or onclick= and set 'u-h-a' to allow them, this will break in UAs without 'u-h-a'
-
-
Because they will see a hash and ignore 'unsafe-inline', so they will reject these attributes.
-
so there will be no way to enable style="" if I want to use a nonce or a hash?
-
The current proposal has problems so it depends on whether Mike finds a way to fix them. Maybe? :)
-
FWIW in our apps we don't restrict style-src. Sec risk of inline styles is much less than of scripts
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.