|
|
|
|
|
|
by AgentME
3188 days ago
|
|
|
Personally and from experience, I think inline scripts are generally a bad idea often abused for hacky one-off tweaks, so the fact that CSP blocks them by default is a bonus to me. But for the cases that they do make sense, there are ways to allow them with the nonce property. CSP doesn't mean that people should forget about proper HTML encoding of user input, but it means that when a developer messes that up somewhere, the issue is generally a minor formatting glitch rather than an exploitable flaw that lets attackers do whatever they want with users' browsers within your domain (like steal thousands of dollars). It's some invaluable defense-in-depth. |
|
|