I added feature detection methods for 'plugin-types' and 'form-action' in https://dvcs.w3.org/hg/content-security-policy/rev/72456c14e22d We should update the API implementation to match.
Created attachment 159266 [details] Patch
Hey Adam, would you mind taking a look at this? I didn't add 'script-nonce' in this patch, as I'm not entirely sure that's a good idea. I'm tempted to address it with something like 'requiresNonce' that would return a bool, rather than giving script the ability to brute-force the nonce by continually checking 'allowsNonce("xxx")'. I'll drop an email to the list to see if anyone has a strong opinion on the matter. Thanks!
> I didn't add 'script-nonce' in this patch, as I'm not entirely sure that's a good idea. I'm tempted to address it with something like 'requiresNonce' that would return a bool, rather than giving script the ability to brute-force the nonce by continually checking 'allowsNonce("xxx")'. Another possibility is to have the nonce available in JavaScript under the theory that if you can read that property, you're already able to execute script... Hum... Let's wait a bit while we experiment with script-nonce to see how we end up using it.
Comment on attachment 159266 [details] Patch Waiting sounds reasonable. Speaking of waiting... CQ? (maybe this week...)
Comment on attachment 159266 [details] Patch Clearing flags on attachment: 159266 Committed r125983: <http://trac.webkit.org/changeset/125983>
All reviewed patches have been landed. Closing bug.