Content Security Policies: Let’s Break Stuff

  • CSP policies let you limit the amount of damage an XSS vulnerability can cause
  • Hard to get right the first time (especially in its interactions with browser extensions), but report-uri and Content-Security-Policy-Report-Only make this easier to manage
  • Use a nonce to safely allow trusted inline scripts.