I don't see how this could be truly secure if it's JS running on the client. The... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		hiram112 on July 30, 2022 \| parent \| context \| favorite \| on: I miss the programmable web (2021) I don't see how this could be truly secure if it's JS running on the client. There is nothing stopping a user from running a custom version of Chromium or otherwise that ignores CSPs... Maybe I'm not fully understanding what is being restricted here and where the code is being run.

charles_f on July 30, 2022 [–]

I guess it's reducing the attack surface for your users, as you can't have a malicious userscript that would log your cc number or something

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact