Could you elaborate on the point made earlier that CSP is too complicated
to implement? What would the fix for this particularly security hole look
like, using CSP?
On Fri, Dec 2, 2016 at 1:11 AM Richard Maher wrote:
Thanks Michael. So to be safe one should use Edge? Who'd have thunk it?
Anyone
Personally I love CSP but it does not allow inline scripts or inline CSS
and over 95% of the web makes heavy use of both.
I believe there now are CSP parameters that relax those prohibitions but
from I understand they are only relaxed when a hash of the inline
scripts / CSS is declared in the
On 12/2/16 11:01 AM, Michael A. Peters wrote:
Personally I love CSP but it does not allow inline scripts or inline CSS
Only if you say to not allow them. The default behavior allows them.
For example, this disallows inline scripts, because script-src is
explicitly specified without unsafe-in
On 12/2/16 11:23 AM, Boris Zbarsky wrote:
(except for maybe with the new unsafe-inline option that requires
checksum in the head ???)
unsafe-inline doesn't require a checksum. See examples above.
It's also not new. Certainly the November 2012 CR of CSP 1.0 [1] has
unsafe-inline.
-Boris
On 12/02/2016 08:23 AM, Boris Zbarsky wrote:
On 12/2/16 11:01 AM, Michael A. Peters wrote:
Personally I love CSP but it does not allow inline scripts or inline CSS
Only if you say to not allow them. The default behavior allows them.
For example, this disallows inline scripts, because script-s
On 12/2/16 11:34 AM, Michael A. Peters wrote:
It seems that CSP behavior has radically changed since the last time I
looked at it
I can't speak to when you last looked at it, but the current state
shipping in browsers is, as far as I know, no different from what
browsers shipped initially for
On 12/02/2016 08:47 AM, Boris Zbarsky wrote:
On 12/2/16 11:34 AM, Michael A. Peters wrote:
It seems that CSP behavior has radically changed since the last time I
looked at it
I can't speak to when you last looked at it, but the current state
shipping in browsers is, as far as I know, no differ
Hi Evgeny, and welcome to the list!
From: whatwg [mailto:whatwg-boun...@lists.whatwg.org] On Behalf Of Evgeny
Vrublevsky
> Unfortunately, browsers still don't support arithmetic JPEG officially. Is
> this a right place to start a discussion if it is possible to change it?
This is a reasonable