One of the proposals was to include event handler names, but this seems more complicated for little benefit so I'd prefer to avoid it.
I hope we can agree that this is not infallible, but it is a significant tightening of the "no restrictions at all" model of 'unsafe-inline'
-
-
For apps which are able to easily refactor their inline event handlers, the answer is: just do it. 'u-h-a' is for the 90% who can't/don't.
-
It also unblocks apps using widgets incompatible with CSP. Now you can often just bless their event handlers and you fix 'unsafe-inline'.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
and would definitely encourage you to comment on the spec (either one of the GitHub issues linked above, or just start a new one!)