I took some time to sketch out `Scripting-Policy` in a little more detail: https://mikewest.github.io/csp-next/scripting-policy.html …. I'm starting to think it might actually not be a terrible idea.https://twitter.com/mikewest/status/1150683169160663041 …
Initial reading looks good. Quick question though, is there a reason why eval is set to "allow" by default? I would expect it to be “allow-trustedscript” to push developers away from this unsafe function, but also introduce them to TrustedTypes.
-
-
Typo. It should have been `allow-trustedscript` to match the description in https://mikewest.github.io/csp-next/scripting-policy.html#examples …. I'll fix that up.
-
Ahh, good, thanks :-) ... as to typos, I did also see two “iff” words.
- Još 2 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.