develwoutacause’s avatardevelwoutacause’s Twitter Archive—№ 863

  1. #Idea: A Response.prototype.safeScript() type that returns a TrustedScript if the fetch passes CSP. You could then safely eval() the script later. Could do the same with safeHtml() that returns TrustedHtml as well...
    On twitter.com Twitter logo develwoutacause’s avatar Mood +1 🙂
    1. …in reply to @develwoutacause
      We would probably want to require that the page fetch() a TrustedScriptURL instead of an untrusted string, but hopefully this gets the point across at least.
      Permalink On twitter.com Twitter logo develwoutacause’s avatar Mood +3 🙂