The security objection to the original "own CSP" design was never fully developed - I'm not sure it's necessarily a show-stopper.
Nick On 30 January 2014 18:53, Scott Miles <sjmi...@google.com> wrote: > I'm hoping there are some constraints we can impose on imports to allow > them to contain inline scripts to exist under CSP. > > Failing that, we already have a tool ('vulcanizer') which can separate > scripts out of imports (and to the reverse as well). > > Whether an import uses inline or external scripts is invisible to the > importer. > > > On Wed, Jan 29, 2014 at 5:47 PM, Gabor Krizsanits <gkrizsan...@mozilla.com > > wrote: > >> One more thing that little bit worries me, that the most common request >> when it comes to CSP is banning inline scripts. If all the imports obey the >> CSP of the master, which I think the only way to go, that also probably >> means that in most cases we can only use imports those do not have any >> inline scripting either... I think this should be mentioned in the spec. >> Since if you develop some huge library let's say, based on imports, and >> then no costumer can use it who also want to have CSP, because it's full of >> inline scripts, that would be quite annoying. >> >> >> >