On Oct 18, 2017, at 3:44 AM, Warren Young <war...@etr-usa.com> wrote: > > The more web apps that ship with stringent Content-Security-Policy headers, > the fewer arguments we’ll have for allowing JS on web pages.
Wow…caffeine isn’t working yet, obviously. What I meant to say is that the more web sites and web apps that ship with stringent CSP headers, the fewer *good* arguments we’ll have for *disallowing* JS on web pages. That is to say, with a strong CSP, many of the arguments against allowing JS to run by default go away. This article explains the whys and wherefores: https://developers.google.com/web/fundamentals/security/csp/ _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
