On Oct 18, 2017, at 8:04 AM, Richard Hipp <[email protected]> wrote: > On 10/18/17, Warren Young <[email protected]> wrote: >> On Oct 18, 2017, at 3:44 AM, Warren Young <[email protected]> wrote: >>> >>> The more web apps that ship with stringent Content-Security-Policy >>> headers, the fewer arguments we’ll have for allowing JS on web pages. > > I'd never heard of Content-Security-Policy before. A quick scan > suggests that I need to modify Fossil to make use of it. > > Target policy: default-src: 'self' > > That means, no more in-line javascript, which will be a hassle to work > around. I'll have to add a "/fossil.js" resource that contains > various scripts and insert the JSON data used to drive those scripts > as <script type='text/json'> elements, apparently. > -- > D. Richard Hipp
Doesn't HTTPS solve this problem ? Lonnie _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
