Open foolip opened 6 years ago
Yeah.
Not if @arturjanc picks it up as he's suggested that he's going to.
This unexpectedly came up in a meeting today. Assuming that @arturjanc hasn't worked on this in the last ~3 years, I'll figure out some way to put a scary red box on the spec.
If this is to be picked up however, some use cases for the API came up as part of Trusted Types https://github.com/w3c/webappsec-trusted-types/issues/36.
To briefly summarise, by testing that some restrictions are enforced by the browser, the application might skip loading (or executing) the code that enforces similar restrictions in JS - or disable certain functionality.
The downside of introducing an API is that if applications branch on CSP presence, adding a report-only policy might stop being a no-op, and might even break the application if parts of it were not tested.
I, indeed, have not worked on this in the last 3 years! It still seems like a good idea, but I agree with obsoleting this proposal unless someone comes along who can actively drive it.
Should this be given the same scary red box as https://w3c.github.io/webappsec-csp/cookies/?