I took some time to sketch out `Scripting-Policy` in a little more detail: https://mikewest.github.io/csp-next/scripting-policy.html …. I'm starting to think it might actually not be a terrible idea.https://twitter.com/mikewest/status/1150683169160663041 …
-
-
Feedback would be welcome, either here or as issues/PRs filed on the GitHub repository: https://github.com/mikewest/csp-next/ …. Thanks!
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
And I’ve not really given this any thought as to actually using this, but “If a policy sets requirements for both a nonce and some set of integrity, either will be sufficient to allow script execution” - I was initially hoping I could require both checks to pass.
-
You’re right for the default, I’m just wondering if there would be any advantage for a very strict system requiring both. I’m currently using (although browsers ignore) CSP require-sri-for, so I already have those hash values, but wonder if requiring a nonce might add something.
- 9 more replies
New conversation -
-
-
Initial reading looks good. Quick question though, is there a reason why eval is set to "allow" by default? I would expect it to be “allow-trustedscript” to push developers away from this unsafe function, but also introduce them to TrustedTypes.
-
Typo. It should have been `allow-trustedscript` to match the description in https://mikewest.github.io/csp-next/scripting-policy.html#examples …. I'll fix that up.
- 3 more replies
New conversation -
-
-
1. Looks pretty good! 2. Why strict-dynamic for non-parser-inserted scripts? It feels like TT for such scripts would be a better fit here long term, especially if they appear already for eval.
-
Two answers: 1. I didn't think about it, file an issue, let's chat! 2. My initial reaction is that I'd like to maintain behavior similar to CSP. The migration story is likely to be fraught as-is (https://github.com/mikewest/csp-next/issues/3 …); consistency seems valuable to mitigate confusion.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.