Hacker News new | ask | show | jobs
by kentonv 4141 days ago
An all-new reason to use Content-Security-Policy.

How much you want to bet that thing is XSSable?
1 comments
pmh 4141 days ago
>An all-new reason to use Content-Security-Policy

Correct me if I'm wrong, but I don't think any amount of CSP will help you in this situation. They're MITMing traffic and thus can modify the CSP headers.

link
kentonv 4141 days ago
Fair enough, though I'd bet they aren't smart enough to have actually blocked the header. They apparently don't even support WebSocket.
link