Skip to content

Add a |source| argument to inline behavior algorithm #1051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 14, 2016
Merged

Add a |source| argument to inline behavior algorithm #1051

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8122399
Add a |source| argument to inline behavior algorithm
mikewest Apr 14, 2016
e7f4b4d
fixup 'child text content'
mikewest Apr 14, 2016
b4870ac
fixup 'style data' and slight cleanup.
mikewest Apr 14, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions source
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11343,9 +11343,9 @@ Transport Protocol">HTTP&lt;/abbr> today.&lt;/p></pre> <!-- DO NOT REWRAP THIS L

<p>However, if the <span>Should element's inline behavior be blocked by Content Security
Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
attribute's <span>element</span> and "<code data-x="">style attribute</code>", then the style
rules defined in the attribute's value must not be applied to the <span>element</span>. <ref
spec="CSP"></p>
attribute's <span>element</span>, "<code data-x="">style attribute</code>", and the attribute's
value, then the style rules defined in the attribute's value must not be applied to the
<span>element</span>. <ref spec="CSP"></p>

</div>

Expand Down Expand Up @@ -13861,8 +13861,8 @@ own thing rather than part of the extended sentence -->

<li><p>If the <span>Should element's inline behavior be blocked by Content Security
Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
<code>style</code> element and "<code data-x="">style</code>", then abort these steps.
<ref spec="CSP"></p></li>
<code>style</code> element, "<code data-x="">style</code>", and the <code>style</code>
element's <code>style data</code>, then abort these steps. <ref spec="CSP"></p></li>
Copy link
Member

@annevk annevk Apr 14, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems wrong given https://html.spec.whatwg.org/multipage/semantics.html#style-data. Only child Text nodes matter for <style>.

Copy link
Member

@annevk annevk Apr 14, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, does this check happen after we determined this is CSS?

Copy link
Member Author

@mikewest mikewest Apr 14, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, does this check happen after we determined this is CSS?

I don't think it matters whether we consider this CSS or not, does it? Whatever style language we support, we'd run it through style-src and check against inline.

This seems wrong given https://html.spec.whatwg.org/multipage/semantics.html#style-data

That's what I was looking for, thanks!


<!-- note that the browsing context isn't needed: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2739 -->

Expand Down Expand Up @@ -58629,9 +58629,9 @@ o............A....e
<li id="script-processing-csp"><p>If the <code>script</code> element does not have a <code
data-x="attr-script-src">src</code> content attribute, and the <span>Should element's inline
behavior be blocked by Content Security Policy?</span> algorithm returns "<code
data-x="">Blocked</code>" when executed upon the <code>script</code> element and "<code
data-x="">script</code>", then abort these steps. The script is not executed. <ref
spec="CSP"></p></li>
data-x="">Blocked</code>" when executed upon the <code>script</code> element, "<code
data-x="">script</code>", and the <code>script</code> element's <code>child text content</code>,
then abort these steps. The script is not executed. <ref spec="CSP"></p></li>

Copy link
Member

@annevk annevk Apr 14, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better to refer to the "child text content" which is how the text attribute is defined.

Copy link
Member Author

@mikewest mikewest Apr 14, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

<li id="script-processing-for">

Expand Down Expand Up @@ -88425,8 +88425,8 @@ dictionary <dfn>PromiseRejectionEventInit</dfn> : <span>EventInit</span> {
<ol>
<li><p>If the <span>Should element's inline behavior be blocked by Content Security
Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
attribute's <span>element</span> and "<code data-x="">script attribute</code>", then abort these
steps. <ref spec="CSP"></p></li>
attribute's <span>element</span>, "<code data-x="">script attribute</code>", and the attribute's
value, then abort these steps. <ref spec="CSP"></p></li>

<li><p>Set the corresponding <span data-x="event handlers">event handler</span> to an
<span>internal raw uncompiled handler</span> consisting of the attribute's new value and the
Expand Down