well one difference is that application/json scripts are still subject to CSP policies

How so? I don't remember ever having seen issues with this. If anything CSP steers you towards this (instead of inline scripts directly assigning to JS variables)

▲

alserio 2 days ago | parent [-]

I thought I knew but it seems that the CSP story is unclear. I couldn't find an authoritative source for either position

▲

SahAssar 2 days ago | parent [-]

CSP blocks execution/inclusion, but since json does not execute and any json mimetype will not do execution there is no problem.

Any CSP-allowed other script can read that application/json script tag and decode it, but it is no different than reading any other data it has access to like any other html element or attribute.

	▲	alserio 2 days ago \| parent [-]
		That makes sense, thank you