Created on 2017-04-23 02:41 by rouilj, last changed 2017-04-23 02:41 by rouilj.
||Author: [hidden] (rouilj)
||Date: 2017-04-23 02:41
This means that a content security policy (CSP) must include
unsafe-inline. Using unsafe-inline makes XSS attacks easier as code
added (inline or via script tag) by the XSS bad actor will be
are authorized using a nonce (nonce support added in roundup
1.6. Access using request/client/client_nonce in templates).
Within that nonce protected code/script call a function that binds
onclick attributes for the classhelp links. Since the source of the
function is authorized, the added bindings are also authorized even
when the content security policy does not include unsafe-inline.