Contenct-Security-Policy

[enumag]

I'm currently experimenting with Content-Security-Policy and sure enough Tracy doesn't work unless both 'unsafe-inline' and 'unsafe-eval' are allowed. I can enable them for development only of course but I'd like to avoid it. Enabling It could easily lead me to a situation where I miss some real CSP violation because of it and push it to production.

[dg]

For checking whether you miss some real CSP violation you can use header Content-Security-Policy-Report-Only.

[enumag]

@dg I'm aware except it will report Tracy violations as well and I didn't find any way to filter them out to keep only the real ones.

[dg]

Tracy bar would sometime in the future work without inline and eval #81, while Bluescreen will require unsafe-inline always. This can be solved only using CSP property nonce (in the meantime it may be used by Bar too). But nonce is IMHO not supported by any browser.

Hmm, it seems that nonce is supported by Firefox and Chome http://caniuse.com/#feat=contentsecuritypolicy2

[enumag]

According to Can I use it should work in Firefox and Chrome but I didn't test it yet.

[dg]

So feel free to send PR :-)