Redundancsp ˈɹɪdʌndən̩(t)siː-ɛs-piː 1. The phrase "CSP policy"
I think you're both right ;) In a new mechanism we'd still need switches to enable some unsafe things to aid deployment (eval() / 's-d' trust propagation / hashes for trusted markup), but we could make it simpler to express this.
-
-
Leaning on development aid for adoption gains is a path to: Artur: nonce "123"; csp: "X-Content-Security-Policy: script-src unsafe-inline 'nonce-123' script-dynamic unsafe-hashed-attributes unsafe-eval http://foo ..."
-
Eh, the main problems with CSP complexity are: 1) Lots of directives which don't do much. 2) All the backcompat 'unsafe-*' cruft to avoid U-A sniffing. A new mechanism solely to control script behavior avoids both even if it's as expressive as current script-src.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.