I took some time to sketch out `Scripting-Policy` in a little more detail: https://mikewest.github.io/csp-next/scripting-policy.html …. I'm starting to think it might actually not be a terrible idea.https://twitter.com/mikewest/status/1150683169160663041 …
1. Looks pretty good! 2. Why strict-dynamic for non-parser-inserted scripts? It feels like TT for such scripts would be a better fit here long term, especially if they appear already for eval.
-
-
Two answers: 1. I didn't think about it, file an issue, let's chat! 2. My initial reaction is that I'd like to maintain behavior similar to CSP. The migration story is likely to be fraught as-is (https://github.com/mikewest/csp-next/issues/3 …); consistency seems valuable to mitigate confusion.
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.