- From: Frederik Braun <fbraun@mozilla.com>
- Date: Fri, 10 Jan 2014 10:13:27 +0100
- To: public-webappsec@w3.org, pete@foundeo.com
On 10.01.2014 10:01, Mike West wrote: > .. > 3. A manual opt-in solution might be reasonable, however. One of the > following approaches might make sense: > > 1. We could add an 'unsafe-integrity' source expression to CSP's > grammar. > 2. We could look at the integrity-based cache only if a nonce was > applied to the script. > 3. We could take Michal's approach, and whitelist external hashes. > 4. Moar ideas? > > WDYT? > Opt-in sounds preferable. I find Michal's approach more elegant, but am not overly opposed to the second either.
Received on Friday, 10 January 2014 09:13:55 UTC