- TIL 'strict-dynamic' - Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP)
Sets[
'strict-dynamic'
](Content Security Policy Level 3to) reduce the effort of deploying a nonce- or hash-based CSP by automatically allowing the execution of scripts that are created by an already trusted script. This also unblocks the use of most third party JavaScript libraries and widgets.
- Read CSP Is Dead, Long Live Strict CSP! - DeepSec 2016 - Speaker Deck
- Read CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy – Google Research
- Read Why it's time to update our language about bad design patterns by Amy Hupe, content designer. - Is a very good read and something I hope we can move too more in our communication.
I lead the Chrome Developer Relations team at Google.
We want people to have the best experience possible on the web without having to install a native app or produce content in a walled garden.
Our team tries to make it easier for developers to build on the web by supporting every Chrome release, creating great content to support developers on web.dev, contributing to MDN, helping to improve browser compatibility, and some of the best developer tools like Lighthouse, Workbox, Squoosh to name just a few.