Oh, the lengths someone will go to to not admit they are wrong and don’t know what they’re talking about. You are so clearly incompetent and so aggressively ignorant about what you’re even saying that I genuinely hope for your sake no one responsible for paying you ever learns how woefully stupid you are. You literally thought HTMX was its own language or server-side framework - I’m not sure which. It’s genuinely funny how opinionated you are over something you just never bothered to even learn about in the first place. I don’t think you’re even sure which of those things you thought it was in the first place.
All you’re doing is trying to save face here by putting words into my mouth. “React is transpiled into JavaScript!” Yes, obviously. That’s why I said you don’t serve React: you serve JavaScript, which React code becomes as its served to the end user. And HTMX already is JavaScript, which you would not transpile because you can’t. Because, and I guess you didn’t see the bolded letters in my previous comment: it’s already a JavaScript library. And you also clearly don’t understand how CSP is enforced within the browser, as I’ve literally proven that your “security concerns” for HTMX are only an issue if you have no idea how CSP even works or is controlled, or even how fucking HTTP requests work in the browser. Hell, I even provided links. Did you provide links? No. You didn’t. You sat here and filled your diaper like the baby you are once I explained to you how HTMX actually works and you were just so. fucking. embarrassed. that you couldn’t even imagine being a grownup and just admitting you’ve been talking out of your ass about something you don’t understand. You just pivoted to insults because you don’t have any real evidence to support your assertions: no explanation for how HTMX violates CSP, no demonstrable vulnerabilities, no real explanation for how this one client-side JavaScript library can bypass CSP when thousands of others can’t. You can’t even explain how you think HTMX does what it does, because you have no fucking clue. All you do have is your ignorance and impotent rage at someone proving, exhaustively, that you are desperately and pathetically out of your depth.
Honestly, I pray for your organization’s sake you’re just a very underqualified intern they’re stuck with until they can kick you out at the end of semester and tell you to go pound sand and beg some dogshit tier company for a job as a scriptmonkey, because if they aren’t, you’re going to actively make everything you touch worse because you don’t actually understand how any of it works and when someone tells you you’re doing it wrong or have made mistakes you’re just going to double down until you get made to sit in a corner and let a big boy fix it.
It turns out the language you use can be semantically ambiguous or misleading if you phrase it incorrectly. Today you learned.
Oh, did you finally manage to fucking Google how HTMX works so you could fish for more reasons to say it’s unsafe? What you’re describing is not a particular concern to HTMX. If an attacker can inject HTML into your page (for example, through an XSS vulnerability), they could potentially set up HTMX attributes to make requests to any endpoint, including endpoints designed to collect sensitive information. But, and this is very important, this is not a unique issue to HTMX; it’s a general security concern related to XSS vulnerabilities and improper CSP configurations.
Do you know what the correct cure for that is?
PROPER CSP CONFIGURATION.
Do you genuinely not understand that CSP works on the browser API level? It doesn’t check to see if your JavaScript contains reference to disallowed endpoints and then prevents it from running. I don’t know how you “think” CSP operates, but what happens is this: The browser exposes an API to allow JavaScript to make HTTP requests - specifically XMLHttpRequest and fetch(). What CSP does is tell the browser “Hey, if you get an API request via XMLHttpRequest or fetch to a disallowed endpoint, don’t fucking issue it.” That’s it. HTMX does not magically bypass the underlying CSP mechanism, because those directives operate on a level beyond HTMX’s (or any JS library’s) influence BY DESIGN. You cannot bypass if it if’s properly configured. Two very serious questions: what part of this is confusing to you? And, have you ever tested this yourself in any capacity to even see if what you’re claiming is even true? Because I have tested it and CSP will block ANY HTMX issued request that is not allowed by CSP’s connect-src directive, assuming that’s set.