• BodilessGaze@sh.itjust.works
      link
      fedilink
      arrow-up
      4
      ·
      8 months ago

      Unfortunately, retrofitting CSP on an existing site can be nightmare, especially if you have external dependencies. At my job, we spent months trying to enable CSP on one our oldest sites, but ultimately gave up because one of our dependencies won’t work unless we added “unsafe-inline” everywhere, which kinda defeats the whole point of CSP.

      • tyteen4a03OP
        link
        fedilink
        arrow-up
        2
        ·
        8 months ago

        Having something is better than nothing! In our case, having connect-src enabled would have avoided the incident.