Comment by paxys

4 years ago

It’s on the browser to enforce CSP headers. In this case the browser itself is doing the malicious script injection. Think of it as a browser extension, just running without your consent. It’s up to the browser - not the website - to reject it.

0 comments