The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 |
Newsgroups: mozilla.dev.security
From: Brandon Sterne <bste...@mozilla.com>
Date: Tue, 07 Apr 2009 09:08:43 -0700
Local: Tues, Apr 7 2009 12:08 pm
Subject: Re: Content Security Policy - final call for comments
On 4/7/09 4:25 AM, Gervase Markham wrote:
> What's the story on inline <style> and style=""? At the moment the As you mentioned, the style-src section indicates "...as well as inline > definition of "style-src" says they are subject to it, but there's no > valid value for "in this document", and in the script case, all inline > script is disabled. <style> elements and style attributes of HTML elements." We are basically treating CSS in the same manner as JavaScript. > Have we decided that there's a risk with all inline CSS style, or can we Since style is a vector for JavaScript, via XBL, it needs to be subject > define and enforce a large safe subset of the language? Making people > move their JS to external files is one thing, making them move all the > style as well is yet another. to the same restrictions. -Brandon You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||