undefined | Better HN

0 pointselmigranto1y ago0 comments

> if someone manages to inject arbitrary HTML

If they can, why wouldn’t it be inline <script>?

0 comments

Because CSP can be configured to block inline scripts.

The syntax to allow inline scripts is even "unsafe-inline" to emphasize that you are entering the danger zone.

j / k navigate · click thread line to collapse

0 pointselmigranto1y ago0 comments

> if someone manages to inject arbitrary HTML

If they can, why wouldn’t it be inline <script>?

Because CSP can be configured to block inline scripts.

The syntax to allow inline scripts is even "unsafe-inline" to emphasize that you are entering the danger zone.

j / k navigate · click thread line to collapse