It's likely going to be a per-page policy generated automatically by middleware for static HTML, allowing only scripts from the current doc.
In those cases the scripts often do not invoke functions which trigger interesting behavior (in our use cases it's often just analytics).
-
-
I hope we can agree that this is not infallible, but it is a significant tightening of the "no restrictions at all" model of 'unsafe-inline'
-
For apps which are able to easily refactor their inline event handlers, the answer is: just do it. 'u-h-a' is for the 90% who can't/don't.
-
It also unblocks apps using widgets incompatible with CSP. Now you can often just bless their event handlers and you fix 'unsafe-inline'.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
and would definitely encourage you to comment on the spec (either one of the GitHub issues linked above, or just start a new one!)