On Fri, Jul 15, 2022 at 10:27 AM Daniel Veditz <[email protected]> wrote:
> This feature, adding sub-directives script-src-elem and script-src-attr. > This is primarily to help legacy sites adding CSP because blocking in-line > javascript is all or nothing in CSP2. (lack is notably causing web-compat > issues) > Expanding a little on that last point in case anyone is curious: If a site specifies the new directives a CSP3-compliant browser will ignore any "script-src" directive in that policy—it is overridden by the more specific ones. A browser without that support (e.g. Firefox) will ignore unknown directives and instead use "script-src". In theory a site can make a stricter policy for compliant browsers, and then have a weaker "combined" script-src fallback policy (that may have to have 'unsafe-inline' in it) for older browsers. Some sites either don't do the fallback, or do but don't test it in Firefox. The most common problem is adding use of script-src-attr and then taking 'unsafe-inline' out of script-src instead of adding a script-src-elem. If you only use *one* of the new directives and not both together you're probably doing it wrong. -Dan Veditz -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADYDTCDHhufkkbBdPgpyand%2B-7J68Zg52cPSsucee165_jHQ3Q%40mail.gmail.com.
