So the high-order bit here is that features need a positive standards-position resolution before we ship them. The question of granularity is more of a practical consideration.
If a set of related-but-technically-independent subfeatures are all finalized, and we have the bandwidth to evaluate all of them, and we think it's reasonably likely we'll come to the same conclusion on all of them, then it's probably simplest to do them as a package. If any of those conditions doesn't hold, it may make more sense to split them up. On Fri, Jul 15, 2022 at 10:49 AM Daniel Veditz <[email protected]> wrote: > On Fri, Jul 15, 2022 at 10:27 AM Daniel Veditz <[email protected]> > wrote: > >> This feature, adding sub-directives script-src-elem and script-src-attr. >> This is primarily to help legacy sites adding CSP because blocking in-line >> javascript is all or nothing in CSP2. (lack is notably causing web-compat >> issues) >> > > Expanding a little on that last point in case anyone is curious: > > If a site specifies the new directives a CSP3-compliant browser will > ignore any "script-src" directive in that policy—it is overridden by the > more specific ones. A browser without that support (e.g. Firefox) will > ignore unknown directives and instead use "script-src". In theory a site > can make a stricter policy for compliant browsers, and then have a weaker > "combined" script-src fallback policy (that may have to have > 'unsafe-inline' in it) for older browsers. Some sites either don't do the > fallback, or do but don't test it in Firefox. The most common problem is > adding use of script-src-attr and then taking 'unsafe-inline' out of > script-src instead of adding a script-src-elem. > > If you only use *one* of the new directives and not both together you're > probably doing it wrong. > > -Dan Veditz > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADYDTCDHhufkkbBdPgpyand%2B-7J68Zg52cPSsucee165_jHQ3Q%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADYDTCDHhufkkbBdPgpyand%2B-7J68Zg52cPSsucee165_jHQ3Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADa3RMM_xUT1dXF_mVC%3D7pqygevyKW1TTeKrkkv1MYmLWZ1e0w%40mail.gmail.com.
