On Fri, Dec 2, 2016 at 9:07 AM, Michael A. Peters <mpet...@domblogger.net> wrote: > On 12/02/2016 08:47 AM, Boris Zbarsky wrote: >> >> On 12/2/16 11:34 AM, Michael A. Peters wrote: >>> >>> It seems that CSP behavior has radically changed since the last time I >>> looked at it >> >> >> I can't speak to when you last looked at it, but the current state >> shipping in browsers is, as far as I know, no different from what >> browsers shipped initially for purposes of this discussion. >> >>> At least historically, the on* attributes were not allowed, the style >>> attributes were not allowed, and any script nodes in the body were not >>> allowed. >> >> >> If you specify script-src and style-src and don't include >> 'unsafe-inline', sure. >> >>> If CSP now allows them by default then I am not very happy about that >> >> >> CSP allows the things you don't issue directives for. If you don't >> issue any script-src directives (or default-src directives), then there >> won't be any limitations on scripts. >> >> -Boris > > > Last time I read the specification, unsafe-inline didn't exist. Last time I > glanced at the site, unsafe-inline existed but was not supported by all > browsers and required a declared hash to work.
I have been using unsafe-inline on both style and script directives in the CSP live on my site tantek.com (home page, permalinks) for over a year. I have seen no problems with Firefox / Chrome / Safari, and have not gotten any reports of problems from Edge users either. I documented the CSP directive I'm using here: https://indieweb.org/CSP#Tantek If you know of any specific browsers where it is "not supported", let me know, because I have received zero such reports. Thanks, Tantek