Call out to CSP's inline element hooks #274
Conversation
|
Rebased onto ToT. |
source
Outdated
There was a problem hiding this comment.
Do you want id="style=processing-csp" here? Also, node or element?
There was a problem hiding this comment.
- What would adding
id="style=processing-csp"do? I mean, I'm happy to, I just don't understand why. :) - No preference between
NodeandElement(are there any nodes that aren't elements, in HTML?)
There was a problem hiding this comment.
I didn't understand why you added script-processing-csp but maybe that was because of the other steps.
It seems this feature would only ever really apply to elements.
There was a problem hiding this comment.
Oh. I added script-processing-csp because other things in that section had IDs. Just cargo-culting. I'd rather remove that ID than add another here, really, but maybe consistency is important?
There was a problem hiding this comment.
It's fine to leave the script one and don't add one here.
|
Changed from node to element. I'll happily defer to your judgement about the IDs, and squish everything together once that's resolved. |
source
Outdated
There was a problem hiding this comment.
The one nitpick I have left is that you use two spaces for indentation here. I think since this <li> only contains a single child we should just inline it as done for <style> and over time align the rest of the <script> algorithm with that style.
|
LGTM with the formatting fixed. |
Content Security Policy defines a "Should element's inline behavior be blocked by Content Security Policy?" algorithm in order to handle things like nonces, hashes, and 'unsafe-inline'. This patch adds those hooks to the appropriate spots in HTML's 'prepare a script' and 'update a style block' algorithms. #271
|
Rebased, formatted, squashed. Thanks! |
|
Great! |
2 participants
Another one. This is based on top of #272 and #273. Sorry for the mess.