On Thu, 24 Mar 2016, Kevin Chadwick <[email protected]> wrote: > BTW, only allowing Javascript to come from the primary domain over SSL > would be a far saner idea, but lets see you get that past Google, > facebook and all the other tracking sites?
It's possible with content security policy[1][2], but completely optional and up to the webmaster (custom header sent by the server). Google etc are actually pushing for it. [1]: https://en.wikipedia.org/wiki/Content_Security_Policy [2]: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
