- From: Marijn Haverbeke <marijnh@gmail.com>
- Date: Fri, 26 Sep 2014 16:32:06 +0200
- To: public-webappsec@w3.org
The simple question: why was document.securityPolicy removed? I was not able to find the relevant discussion. Background: I maintain several JavaScript libraries that use run-time evaluation as an optimization strategy. Users (mostly building Chrome Web Apps) have started reporting problems with using these libraries when a CSP is active. It is usually possible to fall-back to a slower approach without evaluation, but it seems there is no way (short of triggering an actual violation) of detecting that such a policy is in place, which would be necessary to know when to fall back to the eval-less implementation. Best, Marijn Haverbeke
Received on Saturday, 27 September 2014 09:25:59 UTC