'strict-dynamic' pros: what's the best way to create a client-side generated <iframe> that works with strict csp? I'm currently thinking I'm relegated to actually making a network request to a server. :/
-
-
If you use doc.write() & the markup you write into the iframe has scripts, you can bless them with hashes (if static) or add script nonce attributes in the string with markup.
-
Oh hey I forgot about hashes, thanks!
-
By the way, http://CSP.withgoogle.com mentions a 'csp.nonceUtils.getNonce' closure library, is that public?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.