Re: Remove paths from CSP?

On Wed, Feb 12, 2014 at 9:33 AM, Eduardo' Vela" <Nava> <evn@google.com>wrote:

> Well, we won't be able to use CSP in Google since we (unfortunately) serve
> static JS APIs from www.google.com (which also has a lot of JSONP-like
> endpoints).
>
> These are also public APIs, so our users of such APIs won't be able to
> adopt CSP either.
>
I don't understand why a lack of paths in source expressions would mean
that Google can't adopt CSP. Users would whitelist 'www.google.com' (or '
developers.google.com') as a valid source of script. It wouldn't be as
narrow or lovely as 'developers.google.com/loader', but it's certainly not
nothing.

Can you explain?

-mike

Received on Wednesday, 12 February 2014 08:53:36 UTC