I feel this is the holy grail for CSP script-src. We wouldn’t even need `strict-dynamic`. Implicitly implements `require-sri-for`.https://twitter.com/ndm/status/781965722373255172 …
-
-
Replying to @ndm
This doesn't let you load JS widgets (which load sub-scripts) and will break if the script content changes (any non-static API), right?
1 reply 0 retweets 0 likes -
Replying to @arturjanc
we don't load any widgets that subload. We don't support any dynamic or otherwise not known at deploy time scripts.
1 reply 0 retweets 0 likes -
Replying to @ndm
Makes sense, it should work then. But most sites use stuff like analytics and other external scripts; they'd have trouble w/ this model
3 replies 0 retweets 1 like -
Replying to @arturjanc
totally. Given the ideal scenario, I don't think it gets any better than a list of hash sources. It's possible, though difficult.
1 reply 0 retweets 0 likes -
Replying to @ndm
Yes, hashes are good, but the vast majority of apps w/ CSP load external scripts. It's hard to generalize the current SRI-like approach
1 reply 0 retweets 0 likes
If you can host everything locally then you can even have a sane whitelist. It's just not what's happening in practice :(
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.