|
|
|
|
|
|
by theandrewbailey
434 days ago
|
|
|
CSP tells the browser where scripts and styles can come from (not just inline, but origins/domains, too). Let's pretend that an attacker can inject something into a page directly (like a SQL injection, but HTML). That script can do just about anything, like steal data from any form on the page, like login, address, or payments, or substitute your elements for theirs. If inline resources are forbidden, the damage can be limited or stopped. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP |
|
|