CSP: `script-src-attr`, `script-src-elem`, `style-src-attr`, `style-src-elem` directives |
|||
Issue descriptionThese 4 new directives provide the functionality of the script/style directive but with more granularity, applying to elements or attributes.
,
Sep 6
,
Sep 10
Definitely need to add to this intent 'script-src-eval', otherwise we will not get full-featured set. Reason why hashed-handlers will be allowed, but hashed-eval not?
,
Sep 10
There has been no request that I'm aware for hashing eval strings, whereas there have been requests for hashing event handlers. That's why there is no consideration for `script-src-eval` or something of that nature.
,
Sep 11
A very big number of publishers definitely need 'script-src-eval' directive. Today millions of pages with Google Ads can't be protected with CSP. As a result, significant losses for publishers and millions of profits to those who substitute content. Try to use CSP on any page with Google Ads and you will see that this is impossible without unsafe-inline, unsafe-eval, etc. Almost all big websites today have Google Ads and CSP is not working in full. Do you imagine how you can change the game?
,
Yesterday
(36 hours ago)
|
|||
►
Sign in to add a comment |
|||
Comment 1 by andypaicu@chromium.org
, Sep 5