You're not crazy, and they should fix it. But remember the web existed before CSP was ubiquitous and plenty of sites still don't use it (even though they should). It's a very important defense but not the only one. You've identified something that could be the first step in a hack - but it doesn't necessary mean there is a hack.
You're not crazy, and they should fix it. But remember the web existed before CSP was ubiquitous and plenty of sites still don't use it (even though they should). It's a very important defense but not the only one. You've identified something that could be the first step in a hack - but it doesn't necessary mean there is a hack.