• BodilessGaze@sh.itjust.works
    link
    fedilink
    arrow-up
    4
    ·
    9 months ago

    Unfortunately, retrofitting CSP on an existing site can be nightmare, especially if you have external dependencies. At my job, we spent months trying to enable CSP on one our oldest sites, but ultimately gave up because one of our dependencies won’t work unless we added “unsafe-inline” everywhere, which kinda defeats the whole point of CSP.

    • tyteen4a03OP
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      Having something is better than nothing! In our case, having connect-src enabled would have avoided the incident.