Call out to CSP's inline element hooks #274
Conversation
|
Rebased onto ToT. |
| @@ -13295,6 +13291,10 @@ own thing rather than part of the extended sentence --> | |||
| <li><p>If <var>element</var> is not <span>in a <code>Document</code></span>, then abort | |||
| these steps.</p></li> <!-- http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2740 --> | |||
|
|
|||
| <li><p>If the <span>Should node's inline behavior be blocked by Content Security Policy?</span> | |||
There was a problem hiding this comment.
Do you want id="style=processing-csp" here? Also, node or element?
There was a problem hiding this comment.
- What would adding
id="style=processing-csp"do? I mean, I'm happy to, I just don't understand why. :) - No preference between
NodeandElement(are there any nodes that aren't elements, in HTML?)
There was a problem hiding this comment.
I didn't understand why you added script-processing-csp but maybe that was because of the other steps.
It seems this feature would only ever really apply to elements.
There was a problem hiding this comment.
Oh. I added script-processing-csp because other things in that section had IDs. Just cargo-culting. I'd rather remove that ID than add another here, really, but maybe consistency is important?
There was a problem hiding this comment.
It's fine to leave the script one and don't add one here.
|
Changed from node to element. I'll happily defer to your judgement about the IDs, and squish everything together once that's resolved. |
| content attribute, and the <span>Should node's inline behavior be blocked by Content Security | ||
| Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the | ||
| <code>script</code> element, then the user agent must abort these steps. The script is not | ||
| executed. <ref spec="CSP"></p> |
There was a problem hiding this comment.
The one nitpick I have left is that you use two spaces for indentation here. I think since this <li> only contains a single child we should just inline it as done for <style> and over time align the rest of the <script> algorithm with that style.
|
LGTM with the formatting fixed. |
Content Security Policy defines a "Should element's inline behavior be blocked by Content Security Policy?" algorithm in order to handle things like nonces, hashes, and 'unsafe-inline'. This patch adds those hooks to the appropriate spots in HTML's 'prepare a script' and 'update a style block' algorithms. #271
|
Rebased, formatted, squashed. Thanks! |
|
Great! |
Another one. This is based on top of #272 and #273. Sorry for the mess.