CSP external hashes will be a huge win for orgs already using SRI. https://www.w3.org/TR/CSP3/#external-hash … make this happen!!!
You mention "over HTTP" in contrast to "over HTTPS"? I wonder if CSP should have a "make everything requires CORS" directive.
-
-
: WRT CORS, patches welcome, I suppose! Not sure whether that would help... what threats would it mitigate?
@ndm -
On its own maybe not much. It would facilitate adding a way for a subresource server to opt into CORS-only for its responses.
-
This may be preferable to extending frame-ancestors to <img> and <script>. Maybe even completely subsume frame-ancestors.
End of conversation
New conversation -
-
-
: "over HTTP" in the context of "fewer things". I want us to lock things to HTTPS. WebASM is an example of me failing.
@ndmThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.