What's that? You wanted _more_ CSP directives? Sure! Here you go!
(This is @arturjanc's fault.)https://twitter.com/intenttoship/status/1037699686583427072 …
CSP is *by design* a kitchen sink of restrictions that you can pick and choose from to lock down your app. It just so happens that this feature (hashes for JS event handlers) lets CSP be deployed in a useful way in a large number of places where it had been misconfigured before.
-
-
Luckily (kind of), the complexity cost here is borne mostely by the browser vendors, rather than by web applications. So if you deploy CSP with the new directives it's not more difficult than with script-src in the past.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.