On Mon, Aug 18, 2014 at 8:02 AM, Anne van Kesteren <ann...@annevk.nl> wrote:
> On Mon, Aug 18, 2014 at 4:57 PM, John Barton <johnjbar...@google.com> > wrote: > > So you are claiming that CSP no longer restricts inline scripts and that > the > > various online docs are incorrect? Or only that the server set the > > "unsafe-inline" value to opt out of the restriction? > > Neither. See > https://w3c.github.io/webappsec/specs/content-security-policy/ > for the new nonce-source and hash-source features. (Don't read TR/, > it's kind of equivalent to reading the previous version of ES, but > worse.) > Excellent thanks! Hope those new features are adopted and servers routinely implement the hash-source feature. jjb
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss