2015-09-01 UTC
#
Loqi [bridgy] Tom replied '@t @dougturner They don't have to modify your CSP: most CSP allows 'self', they can just inject a script '/att_ads.js' and catch the request' to a tweet that linked to http://indiewebcamp.com/Content-Security-Policy#Why_bother_if_attacker_can_hack_CSP_too (https://twitter.com/kermiite/status/638617749367951360)
![](https://chat.indieweb.org/img.php?url=http%3A%2F%2Floqi.me%2Flogo%2Floqisaur.png&sig=3571041228810c0664972bd517c3e0cb2b50fe82c7359f310bed393df91a84e0)