Bug #100904
Updated by Oliver Hader 10 months ago
Using CSP in the wild still shows several browsers not correctly supporting the @-attr@ or @-elem@ (CSP level 3) variants of @script-src@ and @style-src@ (CSP level 1). @style-src@. Therefore it seems to be required, to introduce an internal merge/fall-back possibility, but still keeping the specific @-attr@ or @-elem@ declarations for the future. Thus, when instructed, the @-attr@ or @-elem@ declarations shall be merged into their parent @script-src@ and @style-src@ directives. The instruction might be different for each scope (backend, frontend, frontend-site).