http://photos.google.com is serving two CSPs, both w/ strict-dynamic, one w/ origins. Is this to have the best of both worlds @arturjanc ?
-
-
Replying to @durumcrustulum
Yes. But only one of the policies has 'strict-dynamic', the other one is an old whitelist-based CSP with a nonce to allow inline scripts.
2 replies 0 retweets 1 like
Replying to @arturjanc @durumcrustulum
The whitelist policy is for "origin hygiene", to prevent devs from accidentally loading untrusted scripts; 'strict-dynamic' is for XSS.
2:39 PM - 31 Mar 2017
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.