On Mon, Aug 18, 2014 at 4:57 PM, John Barton <[email protected]> wrote: > So you are claiming that CSP no longer restricts inline scripts and that the > various online docs are incorrect? Or only that the server set the > "unsafe-inline" value to opt out of the restriction?
Neither. See https://w3c.github.io/webappsec/specs/content-security-policy/ for the new nonce-source and hash-source features. (Don't read TR/, it's kind of equivalent to reading the previous version of ES, but worse.) -- http://annevankesteren.nl/ _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
