Re: lcamtuf on the subtle/deadly problem with CSP

How about a 'static' directive? With it no domains or paths have to be specified, only the static references available at initial page load will be accepted.

A lot of libs etc rely on dynamic loading so maybe it won't be usable in practice. I'm just thinking of Michal's idea to reuse the full paths already there and still having working HTML in non-CSP browsers (Daniel's point).

   Regards, John

-- 
My music http://www.johnwilander.com
Twitter https://twitter.com/johnwilander
CV or Résumé http://johnwilander.se

1 sep 2011 kl. 06:53 skrev Michal Zalewski <lcamtuf@coredump.cx>:

>> The JSONP issue is one I've heard from multiple people, though, including CSP early adopters.   Is it time to standardize a safer way to use JSONP?
> 
> Possibly, but what effect would it realistically have at this point?
> 
> /mz
> 

Received on Thursday, 1 September 2011 06:03:30 UTC