I think it would make more sense to use nsIContentSecurityPolicy's allowsInlineScript for this as I pointed at earlier
your intention sounds along the lines of the proposed script-nonce/script-hash directive for CSP 1.1, although i don't think you've mentioned what identifier you're going to use :) ian ----- Original Message ----- From: "jeremy ralegh" <jeremy.ral...@gmx.ch> To: dev-security@lists.mozilla.org Sent: Tuesday, March 19, 2013 1:12:43 AM Subject: Re: shouldLoad( ) and shouldProcess( ) Thanks Boris, but what does that mean for me now? Repeating my intention "that I want to send an identifier for some inline script tag via a new CSP rule, check if an existing inline script tag owns this identifier and allow its execution only in this case" I still ask myself: can I use shouldProcess() for this? Besides, you write that in some cases it might not get called for inline scripts. Could you please explain these cases? Regards, Jeremy _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
