CSP external hashes will be a huge win for orgs already using SRI. https://www.w3.org/TR/CSP3/#external-hash … make this happen!!!
-
-
Replying to @BRIAN_____
: Also, Google's position != Mike's position. If I was the decider, we'd be shipping fewer things without CORS over HTTP.
@ndm1 reply 0 retweets 0 likes -
You mention "over HTTP" in contrast to "over HTTPS"? I wonder if CSP should have a "make everything requires CORS" directive.
2 replies 0 retweets 0 likes -
Replying to @BRIAN_____
: WRT CORS, patches welcome, I suppose! Not sure whether that would help... what threats would it mitigate?
@ndm1 reply 0 retweets 0 likes -
On its own maybe not much. It would facilitate adding a way for a subresource server to opt into CORS-only for its responses.
1 reply 0 retweets 0 likes
This may be preferable to extending frame-ancestors to <img> and <script>. Maybe even completely subsume frame-ancestors.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.