My web page is configured with a Content Security Policy that forbids inline JS, and indeed, I think inline javascript does represent a fairly massive attack target. In order to eliminate it, it looks like we can just call js-addition with a URL, rather than a byte string.
TBH, I can't see why the original code was the way it was, unless we overlooked the possibility of calling js-addition with a URL. Let me know if I missed something obvious!
My web page is configured with a Content Security Policy that forbids inline JS, and indeed, I think inline javascript does represent a fairly massive attack target. In order to eliminate it, it looks like we can just call
js-additionwith a URL, rather than a byte string.TBH, I can't see why the original code was the way it was, unless we overlooked the possibility of calling js-addition with a URL. Let me know if I missed something obvious!