On 02/04/09 22:12, Brandon Sterne wrote:
We have been working hard lately to finish documenting the Content Security Policy proposal,
What's the story on inline <style> and style=""? At the moment the definition of "style-src" says they are subject to it, but there's no valid value for "in this document", and in the script case, all inline script is disabled.
Have we decided that there's a risk with all inline CSS style, or can we define and enforce a large safe subset of the language? Making people move their JS to external files is one thing, making them move all the style as well is yet another.
Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
