@gwire@mastodon.social2026-02-04 13:34:37
Dear pen-tester:
The mitigation is not to remove "unsafe-inline" from Content-Security-Policy.
The mitigation is to re-engineer how a web app includes javascript, and *then* asking all third-party providers to re-engineer their code in the same way.
This is a longer-than-a-decade process that nobody wants to pay for.