|
|
|
|
|
|
by h4ck_th3_pl4n3t
434 days ago
|
|
|
The problem with CSP is that it's fixing the effect, not the cause. It is also made in a way that it is optional (never break the web mentality), so what happens in practice is the same as with CORS: allow all, because web devs don't understand what to do, and don't have time to read the RFC. For example: try getting a web page to run that uses a web assembly binary _and_ an external JS library. Come back after 2 weeks of debugging and let me know what your experience was like, and why you eventually gave up on it. |
|
|