april · October 5, 2017 20:53
diff --git a/example.html b/example.html
 Note that instead of using a unique nonce on each page load, you could instead
 have the sha256 hash of the contents of that inline script and be completely static.

 > Content-Security-Policy: script-src 'strict-dynamic' 'nonce-abcdef123467890' 'unsafe-inline' https:

 <html>
  <head>
    <title>Hello World</title>
  </head>
  <body>
    <script nonce="abcdef1234567890">
      var shim = document.createElement('script');
      shim.src = '/scripts/shim.js';
      document.head.appendChild(shim);
    </script>
  </body>
 </html>

 This will tell the browser to trust shim.js and any other scripts that get inserted
 into the page by shim.js or scripts that shim.js or its children loads If the browser understands
 'strict-dynamic' (currently Chrome and Firefox), then you get XSS protections despite
 the presence of 'unsafe-inline'. If it doesn't understand 'strict-dynamic', then it operates
 by allowing 'unsafe-inline', the same as it works now.
	Note that instead of using a unique nonce on each page load, you could instead
	have the sha256 hash of the contents of that inline script and be completely static.

	> Content-Security-Policy: script-src 'strict-dynamic' 'nonce-abcdef123467890' 'unsafe-inline' https:

	<html>
	<head>
	<title>Hello World</title>
	</head>
	<body>
	<script nonce="abcdef1234567890">
	var shim = document.createElement('script');
	shim.src = '/scripts/shim.js';
	document.head.appendChild(shim);
	</script>
	</body>
	</html>

	This will tell the browser to trust shim.js and any other scripts that get inserted
	into the page by shim.js or scripts that shim.js or its children loads If the browser understands
	'strict-dynamic' (currently Chrome and Firefox), then you get XSS protections despite
	the presence of 'unsafe-inline'. If it doesn't understand 'strict-dynamic', then it operates
	by allowing 'unsafe-inline', the same as it works now.