There's nothing special about data URLs and CSP. If you want to whitelist data URLs, you can include data: as a source: default-src 'self'; script-src 'self' data: Note: Whitelisting data: as a source for script will open up your site to XSS. If you want to whitelist data: for WebWorkers, you can do that as follows: default-src 'self'; connect-src 'self' data: Note: That doesn't have the same security problems as whitelisting data: as a source for script. Adam On Thu, Jul 19, 2012 at 1:35 PM, David Bruant <bruant.d@gmail.com> wrote: > Hi, > > I was wondering what CSP says about data uri used in as script@src and > Web Worker source. > > Thanks, > > David > >Received on Thursday, 19 July 2012 21:26:29 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 21:26:29 GMT