-
-
The CSP spec allows hashes for <style> elements, but not style="" attributes.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @Scott_Helme and
It's similar to how you can use hashes for <script> blocks but not for event handlers (onclick, etc.)
2 replies 0 retweets 0 likes -
@mikewest I thought that was added in CSP3? Am I mistaken?2 replies 0 retweets 0 likes -
CSP3 has 'unsafe-hashed-attributes' for this, but I expect
@mikewest will take it out b/c of backcompat issues1 reply 0 retweets 0 likes -
-
Replying to @Scott_Helme @metromoxie and
If you use style= or onclick= and set 'u-h-a' to allow them, this will break in UAs without 'u-h-a'
1 reply 0 retweets 0 likes -
Replying to @arturjanc @Scott_Helme and
Because they will see a hash and ignore 'unsafe-inline', so they will reject these attributes.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @metromoxie and
so there will be no way to enable style="" if I want to use a nonce or a hash?
1 reply 0 retweets 0 likes -
Replying to @Scott_Helme @metromoxie and
The current proposal has problems so it depends on whether Mike finds a way to fix them. Maybe? :)
1 reply 0 retweets 0 likes
FWIW in our apps we don't restrict style-src. Sec risk of inline styles is much less than of scripts
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.