rviscomi
commented
8 years ago How is this different from <script src="/script.js"></script>? The client is requesting JS and executing the response. If it's a first-party JS resource, the assumption is that the client knows exactly what it's asking for. A bit of trust is involved when requesting third-party JS resources, as that could definitely contain malicious code. But SPF is just a way for clients to request content. It's up to clients to only make trusted requests.
Since javascript tag is returned to client side, how do you guys prevent malicious code being executed on client browser?