undefined | Better HN

0 pointsThorrez1y ago0 comments

Why? The CSP policy isn't setting default-src or img-src. So image loads are allowed from everywhere.

0 comments

3 comments · 1 top-level

gildas1y ago· 2 in thread

That was just an example of syntax, nothing prevents you from blocking more resources and sandbox the page.

If we make it strict enough to block exfiltration, it'll block the external libraries from loading. So that means we have to load our scripts from the same origin instead of external origins (as jclarkcom suggested).

But the whole reason for CSP was to allow us to use external libraries without exfiltration risk. If we stop using external libraries, then our motivation for using CSP is gone. So CSP is useless for the purpose of this conversation.

gildas1y ago

I think there's been a misunderstanding, there was an error in the article suggesting that zip.min.js is not inlined in the page. This error has been corrected meanwhile. I'm sorry for that. The goal is obviously to create pages that work offline, as shown in the demo.

j / k navigate · click thread line to collapse