> > >>>>>>>> I am a fan of #3 over #2. CSP is already pretty confusing and I >> value anything that tries to make it simpler. >> > That the "allow-dynamic" doesn't implicitly drop the URI whitelist. Are there use-cases for these separately? I'm all for adding things to the > platform if they're useful, but I'm not convinced from this thread that > these keywords add anything other than complexity. That is, Brad can > accomplish the things he's interested in with two policies, which I think > actually turns out to be a more powerful primitive than splitting the > keywords. > hmm .. the use case I am interested in is script-src https://www.dropbox.com/script/require.js 'allow-dynamic' Right now, this would force me to use a nonce. The nonce then is a leakable token present in the HTML of the page. Not a huge risk, but still. > Concretely, would Dropbox use one (or both?) of these keywords if we > implemented them? > Not really sure yet. But, I am inclined towards the script-src example above. --dev Based on the experience Artur is sharing, the current behavior seems to > meet most needs. I agree that it's complicated, but I think that's a > fundamental critique of the whole project at this point. :) > > -mike >Received on Monday, 6 June 2016 14:46:20 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC