Y
Hacker News
new
|
ask
|
show
|
jobs
by
roebk
1407 days ago
Can this be circumvented by a very strict Content-Security-Policy?
1 comments
paxys
1407 days ago
It’s on the browser to enforce CSP headers. In this case the browser itself is doing the malicious script injection. Think of it as a browser extension, just running without your consent. It’s up to the browser - not the website - to reject it.
link