Resolves #455 (also created by me, a year or so ago)
In short, <script src="data:..."> is pretty much equivalent to an inline script, except that it can be async, defer or ES module.
This PR whitelists data URI scheme as trusted, as Observatory currently considers it a script with insecure scheme, giving significant penalties for it.
The CI will fail, because it won't find Python 3.6, otherwise the tests should passed when I tried it.
Resolves #455 (also created by me, a year or so ago)
In short,
<script src="data:...">is pretty much equivalent to an inline script, except that it can beasync,deferor ES module. This PR whitelistsdataURI scheme as trusted, as Observatory currently considers it a script with insecure scheme, giving significant penalties for it.The CI will fail, because it won't find Python 3.6, otherwise the tests should passed when I tried it.