On 12/02/2016 08:47 AM, Boris Zbarsky wrote:
On 12/2/16 11:34 AM, Michael A. Peters wrote:
It seems that CSP behavior has radically changed since the last time I
looked at it
I can't speak to when you last looked at it, but the current state
shipping in browsers is, as far as I know, no different from what
browsers shipped initially for purposes of this discussion.
At least historically, the on* attributes were not allowed, the style
attributes were not allowed, and any script nodes in the body were not
allowed.
If you specify script-src and style-src and don't include
'unsafe-inline', sure.
If CSP now allows them by default then I am not very happy about that
CSP allows the things you don't issue directives for. If you don't
issue any script-src directives (or default-src directives), then there
won't be any limitations on scripts.
-Boris
Last time I read the specification, unsafe-inline didn't exist. Last
time I glanced at the site, unsafe-inline existed but was not supported
by all browsers and required a declared hash to work.