W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Feature-detecting a Content Security Policy

From: Marijn Haverbeke <marijnh@gmail.com>
Date: Fri, 26 Sep 2014 16:32:06 +0200
Message-ID: <CAJnHWXuetfvDZ2gZzX_KQKHi8xEoudwVCDFTLnjXQqadHPtDbg@mail.gmail.com>
To: public-webappsec@w3.org
The simple question: why was document.securityPolicy removed? I was
not able to find the relevant discussion.

Background: I maintain several JavaScript libraries that use run-time
evaluation as an optimization strategy. Users (mostly building Chrome
Web Apps) have started reporting problems with using these libraries
when a CSP is active. It is usually possible to fall-back to a slower
approach without evaluation, but it seems there is no way (short of
triggering an actual violation) of detecting that such a policy is in
place, which would be necessary to know when to fall back to the
eval-less implementation.

Marijn Haverbeke
Received on Saturday, 27 September 2014 09:25:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC