| ▲ | yuchi 3 days ago |
| As good as a script element with type application/json. |
|
| ▲ | joeframbach 2 days ago | parent | next [-] |
| I wonder if the browser would attempt to validate the contents of a script tag with type json, versus treating it as a blob that would only be validated when parsed/used. And any performance overhead at load time for doing so. Not at a machine at the moment so I can't verify. |
|
| ▲ | alserio 3 days ago | parent | prev [-] |
| well one difference is that application/json scripts are still subject to CSP policies |
| |
| ▲ | unilynx 2 days ago | parent [-] | | How so? I don't remember ever having seen issues with this. If anything CSP steers you towards this (instead of inline scripts directly assigning to JS variables) | | |
| ▲ | alserio 2 days ago | parent [-] | | I thought I knew but it seems that the CSP story is unclear. I couldn't find an authoritative source for either position | | |
| ▲ | SahAssar 2 days ago | parent [-] | | CSP blocks execution/inclusion, but since json does not execute and any json mimetype will not do execution there is no problem. Any CSP-allowed other script can read that application/json script tag and decode it, but it is no different than reading any other data it has access to like any other html element or attribute. | | |
|
|
|
