On Oct 18, 2017, at 8:04 AM, Richard Hipp <d...@sqlite.org> wrote: > On 10/18/17, Warren Young <war...@etr-usa.com> wrote: >> On Oct 18, 2017, at 3:44 AM, Warren Young <war...@etr-usa.com> wrote: >>> >>> The more web apps that ship with stringent Content-Security-Policy >>> headers, the fewer arguments we’ll have for allowing JS on web pages. > > I'd never heard of Content-Security-Policy before. A quick scan > suggests that I need to modify Fossil to make use of it. > > Target policy: default-src: 'self' > > That means, no more in-line javascript, which will be a hassle to work > around. I'll have to add a "/fossil.js" resource that contains > various scripts and insert the JSON data used to drive those scripts > as <script type='text/json'> elements, apparently. > -- > D. Richard Hipp
Doesn't HTTPS solve this problem ? Lonnie _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users