undefined | Better HN

0 pointsgildas1y ago0 comments

It's possible to define the Content Security Policy with a <META> tag in the "bootstrap page" and prevent this kind of security issue, e.g. <META http-equiv="content-security-policy" content="connect-src 'self' data: blob:;">

0 comments

4 comments · 2 top-level

Thorrez1y ago· 2 in thread

I don't think that will prevent data exfiltration. Malicious javascript could create e.g. an img element with the data to exfiltrate stored in a query parameter of the image URL.

gildasOP1y ago

The request will be blocked by the CSP.

Thorrez1y ago

Why? The CSP policy isn't setting default-src or img-src. So image loads are allowed from everywhere.

1 more reply

infotogivenm1y ago

source integrity is probably the more applicable feature for gp’s concerns

j / k navigate · click thread line to collapse