|
|
|
|
|
|
by mtlynch
1029 days ago
|
|
|
Yeah, eval is the main culprit, but there's also Function, setTimeout, setInterval and friends.[0] The other gotcha is that with a secure CSP policy, you can no longer do things like <button onclick="handleClick"> because that's inline JS, so that's kind of a bummer. [0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co... |
|
|