On 31.01.2014 06:43, Hajime Morrita wrote: > Generally I prefer master-CSP model than the "own CSP" model due to its > simplicity but I agree that unsafe-script kills the conciseness of Imports. > > To make inline scripts work with imports, we might want another CSP > directive like "safe-script", which allows parser-made <script> but > doesn't allow dynamic ones. There is some room to talk what should be > allowed as "safe-script" though. My gut feeling is A) <script>: Allowed, > but B) inline event handlers: Not allowed.
What is a "safe" script? What do you mean by parser-made script tags? We must be careful not to allow bypassing CSP with a simple XSS. > > Does this make sense?