Closed sesh closed 11 months ago
A policy needs to include a default-src or script-src directive to prevent inline scripts from running, as well as blocking the use of eval().
via https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
via https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP