Importing modules inside HTML imports
johnjbarton at google.com
Mon Aug 18 07:57:04 PDT 2014
On Mon, Aug 18, 2014 at 12:57 AM, Anne van Kesteren <annevk at annevk.nl>
> On Sun, Aug 17, 2014 at 8:52 PM, John Barton <johnjbarton at google.com>
> > The argument goes like this: we all want secure Web pages, we can't
> > Web pages that allow inline scripts, therefore we have to ban inline
> > scripts.
> > If the argument is wrong, ignore my advice, CSP will die. I personally
> > think that would be great.
> It seems you did not read what I wrote. CSP does support inline
> scripts these days.
So you are claiming that CSP no longer restricts inline scripts and that
the various online docs are incorrect? Or only that the server set the
"unsafe-inline" value to opt out of the restriction?
Some of the sites that make me think this has not changed:
In either case, authors should not include 'unsafe-inline' in their CSP
policies if they wish to protect themselves against XSS.
*Note:* Both 'unsafe-inline' and 'unsafe-eval' are unsafe and can open your
web site up to cross-site scripting vulnerabilities.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss