I feel this is the holy grail for CSP script-src. We wouldn’t even need `strict-dynamic`. Implicitly implements `require-sri-for`.https://twitter.com/ndm/status/781965722373255172 …
Yes, hashes are good, but the vast majority of apps w/ CSP load external scripts. It's hard to generalize the current SRI-like approach
-
-
If you can host everything locally then you can even have a sane whitelist. It's just not what's happening in practice :(
-
yep, hence the "holy grail" classification :)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.