Sounds promising, but the key use case cited by Brendan is ease-of-use so it's important that all of this happens by default as far as Web devs are concerned.
On Mon, Aug 18, 2014 at 11:23 AM, caridy <car...@gmail.com> wrote: > John, you can also use SPDY/HTTP2.0 PUSH to send sticky code alongside > with the original HTML that will mimic the use of inline scripts but > behaves like an external script. Essentially, you will have: `<script > src="/my-sticky-data-and-initialization-per-page.js"></script>`, while that > script is actually sent thru the SPDY multi-plex, which means no roundtrip > is issued, no perf penalty, and it complies with CSP restrictions, the best > of both worlds! > > /caridy > > On Aug 18, 2014, at 11:35 AM, John Barton <johnjbar...@google.com> wrote: > > > > > On Mon, Aug 18, 2014 at 8:02 AM, Anne van Kesteren <ann...@annevk.nl> > wrote: > >> On Mon, Aug 18, 2014 at 4:57 PM, John Barton <johnjbar...@google.com> >> wrote: >> > So you are claiming that CSP no longer restricts inline scripts and >> that the >> > various online docs are incorrect? Or only that the server set the >> > "unsafe-inline" value to opt out of the restriction? >> >> Neither. See >> https://w3c.github.io/webappsec/specs/content-security-policy/ >> for the new nonce-source and hash-source features. (Don't read TR/, >> it's kind of equivalent to reading the previous version of ES, but >> worse.) >> > > Excellent thanks! Hope those new features are adopted and servers > routinely implement the hash-source feature. > > jjb > _______________________________________________ > es-discuss mailing list > es-discuss@mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > >
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
