Hi!
XSLT stylesheets are currently subject to the script-src-elem directive. While this is a reasonable default, it may also be desirable to have a directive for XSLT specifically. There are websites which may want to allow XSL Transformations, but not JavaScript.
Would it be reasonable to add a xslt-src directive, which defaults to the value of script-src-elem? This would allow disabling scripting and script-like destinations, with the possibility of adding an exception for XSLT.
Bye :)
Hi!
XSLT stylesheets are currently subject to the
script-src-elemdirective. While this is a reasonable default, it may also be desirable to have a directive for XSLT specifically. There are websites which may want to allow XSL Transformations, but not JavaScript.Would it be reasonable to add a
xslt-srcdirective, which defaults to the value ofscript-src-elem? This would allow disabling scripting and script-like destinations, with the possibility of adding an exception for XSLT.Bye :)