- From: Frederik Braun <fbraun@mozilla.com>
- Date: Mon, 23 Sep 2013 14:58:54 +0200
- To: public-webappsec@w3.org
On 20.09.2013 00:46, Neil Matatall wrote: > If a script hash source is specified and the user agent understands > it, the browser should ignore the 'unsafe-inline' directive for > backwards compatibility. Any inline script whose computed hash value > does not match a hash specified in the hash sources should not be > executed and an informative error message should be displayed > including the expected hash value. What if I have to use 'unsafe-inline' but may still want to whitelist some hashes explicitly? 'unsafe-inline-pretty-please'? ;)
Received on Monday, 23 September 2013 12:59:23 UTC