I agree; this is an ugly hack to satisfy the arbitrary CSP requirement.
On Thu, Feb 6, 2014 at 5:20 AM, Lance Java <lance.j...@googlemail.com>wrote:
> In theory, the data URL approach sounds perfect.
>
> But in reality we'd be swapping this:
> <script>alert('hello');</script>
>
> For this:
> <script src="data:text/javascript;charset=utf-8,alert('hello');" />
>
> As you mentioned, it's likely that at least on browser won't support this
> (I'm looking at you IE!). As I said, I'm not sure it actually achieves
> anything in terms of security (apart from ticking a box).
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
