On 15/10/09 22:20, Brandon Sterne wrote:
I think we face a decision:
A) we continue to allow inline styles and make external stylesheet loads
be subject to the "allow" policy, or
B) we disallow inline style and create an opt-in mechanism similar to
the inline-script option [2]
C) We do A, but d
On 19-Oct-09, at 7:34 AM, Gervase Markham wrote:
On 15/10/09 22:20, Brandon Sterne wrote:
IOW, we need to decide if webpage defacement via injected style is in
the treat model for CSP and, if so, then we need to do B.
Is it just about defacement, or is it also about the fact that CSS
can bri
On Mon, Oct 19, 2009 at 6:43 AM, Johnathan Nightingale
wrote:
> Not as limited as you might like. Remember that even apparently
> non-dangerous constructs (e.g. background-image, the :visited pseudo class)
> can give people power to do surprising things (e.g. internal network ping
> sweeping, user
