undefined | Better HN

0 pointstheandrewbailey11mo ago0 comments

CSP tells the browser where scripts and styles can come from (not just inline, but origins/domains, too). Let's pretend that an attacker can inject something into a page directly (like a SQL injection, but HTML). That script can do just about anything, like steal data from any form on the page, like login, address, or payments, or substitute your elements for theirs. If inline resources are forbidden, the damage can be limited or stopped.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP

0 comments

magicalhippo11mo ago

Still recall the classic forum exploits of including Javascript in your signature or similar, before such software started escaping input.

j / k navigate · click thread line to collapse

0 pointstheandrewbailey11mo ago0 comments

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP

0 comments

magicalhippo11mo ago

Still recall the classic forum exploits of including Javascript in your signature or similar, before such software started escaping input.

j / k navigate · click thread line to collapse