Y
Hacker News
new
|
ask
|
show
|
jobs
by
elmigranto
710 days ago
> if someone manages to inject arbitrary HTML
If they can, why wouldn’t it be inline <script>?
1 comments
amluto
710 days ago
Because CSP can be configured to block inline scripts.
link
jsheard
710 days ago
The syntax to
allow
inline scripts is even "unsafe-inline" to emphasize that you are entering the danger zone.
link