|
|
|
|
|
|
by tlrobinson
3083 days ago
|
|
|
Indeed. Then the middleware could also inject exfiltration JavaScript in `text/html` or `application/javascript` responses, which would work even if the app doesn’t use npm modules on the frontend. This applies to almost any backend web framework and package manager, but the culture of micro packages in npm suits itself well to this attack. |
|
|
(I’m only half joking)
EDIT: oh, CSP pinning is actually a thing that’s been proposed https://www.w3.org/TR/csp-pinning/