- From: Ricardo Iramar dos Santos <riramar@gmail.com>
- Date: Sat, 24 Feb 2024 11:43:18 -0300
- To: WebAppSec WG <public-webappsec@w3.org>
Received on Saturday, 24 February 2024 14:43:33 UTC
Hi All, I received the following question on the OWASP Security Headers Project, but I'm not sure if this works as intended. Do you guys know if the Content Security Policy (CSP) should block in this case? https://github.com/oshp/oshp-tracking/discussions/25 *It seems, unless I missed a subtlety, that a CSP cannot be used to act on the capabilities of a loaded JavaScript script when the CSP is applied on the script itself, via the HTTP response that sends it.* Best regards, Ricardo Iramar
Received on Saturday, 24 February 2024 14:43:33 UTC