undefined | Better HN

0 pointsrecursivedoubts3y ago0 comments

htmx can work w/ a CSP, sans a few features (hx-on, event filters)

0 comments

1 comments · 1 top-level

My understanding based on the docs[0] is that htmx works with CSP, but it also drastically weakens its protection, as attackers who successfully inject JS into htmx attributes gain code execution that CSP would have normally prevented.

Am I misunderstanding? If I can use htmx without sacrificing the benefits of CSP, I'd really love to use htmx.

[0] https://htmx.org/docs/#security

1 more reply

j / k navigate · click thread line to collapse