On Nov 15, at 12:27 PM, Yoav Weiss wrote: >>> >>> Any thoughts on my concerns with making inline CSS mandatory (especially >>> from the CSP angle)? >> >> CSP 1.1 supports securing inline style and script with nonces and/or >> hashes. >> >> > OK, since the latest proposals keep the URLs outside the style, modifying > the content image can keep the same style, assuming layout is identical. So > these inline-style are not more likely to change than any other > inline-styles and the authoring complexity is identical to other inline > styles. > > Still - I'm not sure such a solution is author friendly.
I’m just not sure what this proposal claims to handle or support that `src-n` doesn’t, apart from handling it with a slightly different syntax that’s subjectively preferred by a few people? Seems like it depends on a number of fairly large assumptions, but doesn’t really bring anything new to the table.
