Some sites have shared the desire to use some features of CSP, but not all of them at once. For example, a site may want to utilize the content loading features of CSP to help prevent data exfiltration, but they may not want to be subject to the JavaScript restrictions which are enabled by default (no inline script, no eval, etc.).
We have made two additions to the spec that we think will address these needs: 1. Sites can opt-out of "no inline scripts" by adding the "inline" keyword to their script-src directive. 2. Sites can opt-out of "no code from strings" by adding the "eval" keyword to their script-src directive. These additions may enable some sites, who would otherwise be deterred by the JS restrictions, to adopt CSP in a limited fashion early, and later do a full implementation as resources permit. Cheers, Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security