Importing modules inside HTML imports

John Barton johnjbarton at
Mon Aug 18 07:57:04 PDT 2014

On Mon, Aug 18, 2014 at 12:57 AM, Anne van Kesteren <annevk at>

> On Sun, Aug 17, 2014 at 8:52 PM, John Barton <johnjbarton at>
> wrote:
> > The argument goes like this: we all want secure Web pages, we can't
> secure
> > Web pages that allow inline scripts, therefore we have to ban inline
> > scripts.
> >
> > If the argument is wrong, ignore my advice, CSP will die.  I personally
> > think that would be great.
> It seems you did not read what I wrote. CSP does support inline
> scripts these days.

So you are claiming that CSP no longer restricts inline scripts and that
the various online docs are incorrect?  Or only that the server  set the
"unsafe-inline" value to opt out of the restriction?

Some of the sites that make me think this has not changed:
In either case, authors should not include 'unsafe-inline' in their CSP
policies if they wish to protect themselves against XSS.
*Note:* Both 'unsafe-inline' and 'unsafe-eval' are unsafe and can open your
web site up to cross-site scripting vulnerabilities.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list