| ▲ | SahAssar 2 days ago | |
CSP blocks execution/inclusion, but since json does not execute and any json mimetype will not do execution there is no problem. Any CSP-allowed other script can read that application/json script tag and decode it, but it is no different than reading any other data it has access to like any other html element or attribute. | ||
| ▲ | alserio 2 days ago | parent [-] | |
That makes sense, thank you | ||