Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
elmigranto
1y ago
0 comments
Save
Share
> if someone manages to inject arbitrary HTML
If they can, why wouldn’t it be inline <script>?
0 comments
2 comments · 1 top-level
top
newest
oldest
amluto
1y ago
· 1 in thread
Because CSP can be configured to block inline scripts.
jsheard
1y ago
The syntax to
allow
inline scripts is even "unsafe-inline" to emphasize that you are entering the danger zone.
j
/
k
navigate · click thread line to collapse
