What's that? You wanted _more_ CSP directives? Sure! Here you go!
(This is @arturjanc's fault.)https://twitter.com/intenttoship/status/1037699686583427072 …
-
-
Sure. Whatever. Add it to the conversation on https://github.com/w3c/webappsec-csp/issues/87 ….
-
One good use case for this would be static magic ES{5,6,7} detector expressions which test for new ES syntax and can't be refactored to use the ScriptElement workaround because the script parser would barf on older browsers (so they try {eval(...)} catch {}).
-
Code like this currently requires the use of 'unsafe-eval' and is a pain in the butt to fix:https://stackoverflow.com/questions/49005406/check-basic-es6-support-without-unsave-eval …
-
Ugh.
-
Look at it this way: the directive split can do one more useful thing with only a little bit more effort ;-) "Why build one when you can have two at twice the price?"https://www.youtube.com/watch?v=Et4sMJP9FmM&feature=youtu.be&t=128 …
-
That is a way of looking at it! I think some spelling of this (directive or keyword or whatever) can work for hashes, fairly trivially. I do not have bandwidth to argue with TC39 about `eval()` syntax to support nonces.
End of conversation
New conversation -
-
-
Yeah; more granularity would be great. this or allow eval when second argument to it is nonce, or an api that can enable disable eval if you know nonce.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.