To implement CSP without hashing/nounces it makes sense to break out the JS from the HTML in the first step, so the browser can reliably distinct between JS code that should be executed, e.g. by loading the JS source from a file rather than having it inlined.
REG-GIE
commented
1 year ago
To implement CSP without hashing/nounces it makes sense to break out the JS from the HTML in the first step, so the browser can reliably distinct between JS code that should be executed, e.g. by loading the JS source from a file rather than having it inlined.