This repository has been archived by the owner on Nov 21, 2024. It is now read-only.
Support a more restrictive Content-Security-Policy #489
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When CSP is enabled, Candy is unable to function properly.
The most obvious issues are the presence of the onsubmit, onchange, etc. attributes. The example.html file also ships some inline script which should be disallowed.
CSP is very important for a client like Candy since it provides an additional security against attackers embedding scripts or styles in their payloads.
The text was updated successfully, but these errors were encountered: