It would disable a lot of the code-reuse attack vectors.
For apps which are able to easily refactor their inline event handlers, the answer is: just do it. 'u-h-a' is for the 90% who can't/don't.
-
-
It also unblocks apps using widgets incompatible with CSP. Now you can often just bless their event handlers and you fix 'unsafe-inline'.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
and would definitely encourage you to comment on the spec (either one of the GitHub issues linked above, or just start a new one!)