On Fri, Dec 2, 2016 at 9:07 AM, Michael A. Peters
<mpet...@domblogger.net> wrote:
> On 12/02/2016 08:47 AM, Boris Zbarsky wrote:
>> On 12/2/16 11:34 AM, Michael A. Peters wrote:
>>> It seems that CSP behavior has radically changed since the last time I
>>> looked at it
>> I can't speak to when you last looked at it, but the current state
>> shipping in browsers is, as far as I know, no different from what
>> browsers shipped initially for purposes of this discussion.
>>> At least historically, the on* attributes were not allowed, the style
>>> attributes were not allowed, and any script nodes in the body were not
>>> allowed.
>> If you specify script-src and style-src and don't include
>> 'unsafe-inline', sure.
>>> If CSP now allows them by default then I am not very happy about that
>> CSP allows the things you don't issue directives for.  If you don't
>> issue any script-src directives (or default-src directives), then there
>> won't be any limitations on scripts.
>> -Boris
> Last time I read the specification, unsafe-inline didn't exist. Last time I
> glanced at the site, unsafe-inline existed but was not supported by all
> browsers and required a declared hash to work.

I have been using unsafe-inline on both style and script directives in
the CSP live on my site tantek.com (home page, permalinks) for over a

I have seen no problems with Firefox / Chrome / Safari, and have not
gotten any reports of problems from Edge users either.

I documented the CSP directive I'm using here: https://indieweb.org/CSP#Tantek

If you know of any specific browsers where it is "not supported", let
me know, because I have received zero such reports.



Reply via email to