I feel this is the holy grail for CSP script-src. We wouldn’t even need `strict-dynamic`. Implicitly implements `require-sri-for`.https://twitter.com/ndm/status/781965722373255172 …
-
-
totally. Given the ideal scenario, I don't think it gets any better than a list of hash sources. It's possible, though difficult.
-
Yes, hashes are good, but the vast majority of apps w/ CSP load external scripts. It's hard to generalize the current SRI-like approach
-
If you can host everything locally then you can even have a sane whitelist. It's just not what's happening in practice :(
-
yep, hence the "holy grail" classification :)
End of conversation
New conversation -
-
-
we source a cached version of goog analytics and are working towards a proxy + measurement protocol solution.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.