CSP support is becoming an expected feature of such integrations, services need to adapt and not detriment the security of sites using them.https://twitter.com/ivanristic/status/803591094499938304 …
-
-
Also inlined script and styles are ugly and become cumbersome to maintain. :)
-
Nonces work for both inline & external JS/CSS, they just give you the option of inlining if your app needs it.
-
And if inline JS/CSS is added by a widget you don't control, then you generally don't have to maintain it.
-
OTOH if the JS widget adds markup with inline event handlers or javascript: URIs to your document then it sucks.
End of conversation
New conversation -
-
-
Someday, someday. :)
-
If I iframe something that has unsafe-inline, I can't nonce with strict-dynamic can I?
-
If you iframe something then CSP shouldn't be a problem because the framed document isn't subject to your policy.
-
iframes are perfect for 3rd party components (i.e. you can sandbox/csp them, unlike custom elements).
-
yeah I realised that they were applying a style to the iframe and not in it :(
-
not ideal, but you can iframe an iframe... setting height can be an issue though https://github.com/craigfrancis/iframe-height …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.