Comment by whatgoodisaroad
4 years ago
CSP protects against an XSS threat model, but once the attacker has control of the browser itself, defeating CSP is trivial since you can just decorate scripts with the nonce string (or equivalent).
4 years ago
CSP protects against an XSS threat model, but once the attacker has control of the browser itself, defeating CSP is trivial since you can just decorate scripts with the nonce string (or equivalent).
On iOS you still don’t control the browser in an app, Apple limits what you’re allowed to do. I’m not sure you can disable CSP. See my reply to your sibling comment.