| 00:21 | <sideshowbarker> | EveryOS: thanks |
| 00:21 | <EveryOS> | You're welcome |
| 00:24 | <sideshowbarker> | looking now at https://github.com/mdn/content/issues/11697 I find that no browsers seem to conform to the CSP spec requirement to block element.style.cssText = 'display:none' in the same way they block element.setAttribute('style', 'display:none;') |
| 00:25 | <sideshowbarker> | and looking at WPT, I find we have no tests for it https://wpt.fyi/results/content-security-policy/style-src?label=experimental&label=master&aligned |
| 00:27 | <sideshowbarker> | step 4 at https://w3c.github.io/webappsec-csp/#directive-style-src is where the relevant requirement is defined, and it even explicitly mentions:
|