[dojo-contributors] heya-ctr performance

James Burke jburke at dojotoolkit.org
Mon May 6 19:26:55 EDT 2013


On Mon, May 6, 2013 at 3:37 PM, Eugene Lazutkin <eugene at lazutkin.com> wrote:
> Speaking of RequireJS' possible invulnerability to CSP --- it is not
> strictly true, because CSP can prohibit loading scripts using URL
> patterns, and even govern a creation of script tags.

I did not mean to imply AMD script src loaders are invulnerable to CSP
settings. Just much more likely to avoid issues vs an XHR+eval loader.
Like limiting script sources to same domain, which still allows a
script src based loader to work, but disallowing eval. In other words,
the most likely CSP choices will still work with AMD script-src based
loaders.

I do recognize though that the developer can choose CSP options that
would break a script-src loader. However, the alternatives for script
loading would also likely break if the developer was trying to be that
restrictive.

James


More information about the dojo-contributors mailing list