Hi @mikewest, doing a CSP deep dive right now. Would appreciate if you can elaborate on the reason for having both nonce/strict-dynamic and unsafe-inline/unsafe-eval in the same policy. E.g. the CSP from http://photos.google.com contains both. Assumption: backwards compatibility?
Replying to @ingobente @mikewest
Yes, it's to prevent scripts from being blocked in browsers which support CSP, but don't understand nonces or 'strict-dynamic'. Without 'unsafe-inline' such browsers would block inline scripts blessed via nonces/hashes.
3:51 AM - 2 Apr 2018
0 replies
0 retweets
3 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.