• fuzzzerd@programming.dev
    link
    fedilink
    arrow-up
    2
    ·
    9 months ago

    I felt like I had a good understanding of both htmx and csp, but after this discussion I’m going to have to read up on both because both of you are making a logically sound argument to my mind.

    I’m struggling to see how htmx is more vulnerable than say react or vue or angular, because with csp as far as I can tell I can explicitly lock down what htmx can do, despite any maliciously injected html that might try to do otherwise.

    Thanks for this discussion 🙂

    • rwhitisissle@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      CSP works on the browser API level - all HTMX does is what you could do yourself with any AJAX: send an HTTP request to an endpoint. If the CSP disallows that endpoint, it will fail.