On Dec 6, 2017, at 12:22 PM, Richard Hipp <[email protected]> wrote: > > (6) CSP headers says: "default-src 'self' 'unsafe-inline’".
Don’t undersell the advantages. That’s a significant improvement already: 1. It disallows all eval() cases, which closes off a whole class of attacks. 2. It disallows active content from third-party sites even if someone manages to inject a reference to such into the page itself. It’s one of those 90/10 things: the first 90% of the work took 90% of the development time, and the remaining 10% of the work will take the other 90% of the development time. :) _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
