CSP’s Nonce and Hash is dangerous

Please be careful when using either of these mechanisms in dynamically generated content; if an attacker can inject content into something you’ve set a nonce attribute on (or something you generate a hash-source from) then you may have created a free bypass for an attacker.



电子邮件地址不会被公开。 必填项已用*标注