I think jquery could be substituted with zepto easily, but I do not know
if it improves on this matter.
Zepto uses "eval()". It doesn't help on this matter :-(
This function looks difficult for library developpers to avoid, despites
the strong security issue it brings !
--
Camille
Hi Yuri,
Is this required by CSP?
I do not see how it improves security?
Well the script-src 'self' prevents the browser to execute JS that comes
from any external server. If an attacker wants your browser to execute
his JS, it has to compromise your servers first. For me, yes it improves