Importing modules inside HTML imports

John Barton johnjbarton at google.com
Mon Aug 18 08:35:22 PDT 2014


On Mon, Aug 18, 2014 at 8:02 AM, Anne van Kesteren <annevk at annevk.nl> wrote:

> On Mon, Aug 18, 2014 at 4:57 PM, John Barton <johnjbarton at google.com>
> wrote:
> > So you are claiming that CSP no longer restricts inline scripts and that
> the
> > various online docs are incorrect?  Or only that the server  set the
> > "unsafe-inline" value to opt out of the restriction?
>
> Neither. See
> https://w3c.github.io/webappsec/specs/content-security-policy/
> for the new nonce-source and hash-source features. (Don't read TR/,
> it's kind of equivalent to reading the previous version of ES, but
> worse.)
>

Excellent thanks!  Hope those new features are adopted and servers
routinely implement the hash-source feature.

jjb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140818/d869487b/attachment.html>


More information about the es-discuss mailing list