>
>> just the inline <script> tag, or are inline event listeners in the
>> import also allowed ?
>>
>
> Sure, why not? I'm not a huge fan of inline event handlers, but I don't
> think that allowing them (and inline script) in Imports actually increases
> the risk a developer exposes herself to. Do you think that's an incorrect
> analysis?
>
> I don't think its incorrect, but I think it complicates other use cases.
e.g. if I'm serving HTML+JS ads authored by a 3rd party, part of what I'd
like to get out of forbidding inline with CSP is that I know that all
script content must be packaged in a distinct file that is much easier to
analyze as such than HTML with inline event handlers, etc.
-Brad