On Wed, Oct 15, 2014 at 6:10 PM, Tab Atkins Jr. <jackalm...@gmail.com> wrote:
> > Nothing in-band will work, because the attacker can replace arbitrary > amounts of the page if they're loaded as an in-page script. It's > gotta be *temporally* isolated - either something out-of-band like a > response header, or something that has no effect by the time scripts > run, like a <meta> that is only read during initial parsing. > Yes. Hence the CSP directive portion of the proposal. The inline attribute is useful for the specific password manager case I'm concentrating on, as it gives us a clear indication that the site doesn't intend to do wacky manipulation of its credentials on the fly. We can use this to determine how and when the password manager (or credit card autofill, or whatever) ought to refuse to expose information to the renderer. -- Mike West <mk...@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)