Hacker News new | ask | show | jobs
by hiram112 1413 days ago
I don't see how this could be truly secure if it's JS running on the client. There is nothing stopping a user from running a custom version of Chromium or otherwise that ignores CSPs... Maybe I'm not fully understanding what is being restricted here and where the code is being run.
1 comments
charles_f 1413 days ago
I guess it's reducing the attack surface for your users, as you can't have a malicious userscript that would log your cc number or something
link