Content Security Policies: Let’s Break Stuff

  • CSP policies let you limit the amount of damage an XSS vulnerability can cause
  • Hard to get right the first time (especially in its interactions with browser extensions), but report-uri and Content-Security-Policy-Report-Only make this easier to manage
  • Use a nonce to safely allow trusted inline scripts.
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Edit