@fulanoperez wrote:
if a site has something like:
Content-Security-Policy "default-src ‘none’; base-uri ‘self’; require-sri-for script style; script-src ‘self’ blob: ‘unsafe-inline’; style-src ‘self’ ‘unsafe-inline’; …
the browsing client won’t run unsafe-eval js
does the code need to have unsafe-evals ?
would matomo consider using integrity hashes built-in and enabled by default ?
Posts: 3
Participants: 2