Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-02 Thread Jonathan Zuckerman
Could you elaborate on the point made earlier that CSP is too complicated to implement? What would the fix for this particularly security hole look like, using CSP? On Fri, Dec 2, 2016 at 1:11 AM Richard Maher wrote: Thanks Michael. So to be safe one should use Edge?

Re: [whatwg] Arithmetic coded JPEGs

2016-12-02 Thread Domenic Denicola
Hi Evgeny, and welcome to the list! From: whatwg [mailto:whatwg-boun...@lists.whatwg.org] On Behalf Of Evgeny Vrublevsky > Unfortunately, browsers still don't support arithmetic JPEG officially. Is > this a right place to start a discussion if it is possible to change it? This is a reasonable

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-02 Thread Boris Zbarsky
On 12/2/16 11:01 AM, Michael A. Peters wrote: Personally I love CSP but it does not allow inline scripts or inline CSS Only if you say to not allow them. The default behavior allows them. For example, this disallows inline scripts, because script-src is explicitly specified without

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-02 Thread Michael A. Peters
On 12/02/2016 08:47 AM, Boris Zbarsky wrote: On 12/2/16 11:34 AM, Michael A. Peters wrote: It seems that CSP behavior has radically changed since the last time I looked at it I can't speak to when you last looked at it, but the current state shipping in browsers is, as far as I know, no

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-02 Thread Boris Zbarsky
On 12/2/16 11:23 AM, Boris Zbarsky wrote: (except for maybe with the new unsafe-inline option that requires checksum in the head ???) unsafe-inline doesn't require a checksum. See examples above. It's also not new. Certainly the November 2012 CR of CSP 1.0 [1] has unsafe-inline. -Boris

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-02 Thread Michael A. Peters
On 12/02/2016 08:23 AM, Boris Zbarsky wrote: On 12/2/16 11:01 AM, Michael A. Peters wrote: Personally I love CSP but it does not allow inline scripts or inline CSS Only if you say to not allow them. The default behavior allows them. For example, this disallows inline scripts, because

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-02 Thread Boris Zbarsky
On 12/2/16 11:34 AM, Michael A. Peters wrote: It seems that CSP behavior has radically changed since the last time I looked at it I can't speak to when you last looked at it, but the current state shipping in browsers is, as far as I know, no different from what browsers shipped initially

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-02 Thread Michael A. Peters
Personally I love CSP but it does not allow inline scripts or inline CSS and over 95% of the web makes heavy use of both. I believe there now are CSP parameters that relax those prohibitions but from I understand they are only relaxed when a hash of the inline scripts / CSS is declared in the