I've tried to get Content Security Policy (CSP) rolled out in our new development at work, and to be frank I'm starting to lose faith that it is workable.
We're on report only at the moment, and it seems like every major JavaScript library depends on Eval() in one way or another (mostly new function()).
Just this week someone wanted to use Angular (1.3.1) and it generates dozens of CSP reports without ng-csp in the HTML element, but when the attribute exists $http responses (which depend on function()) aren't working (e.g. success(function(data, status, headers, config) {}).
Unfortunately Angular's documentation on CSP is a single page with nothing particularly helpful, and tons of stackoverflow results about Google Chrome extension development.
This is just the tip of the iceberg. Seems like every single major JavaScript library (even things you just take for granted) break CSP or need tons of exceptions.
Just turn on CSP's unsafe-eval option. You still get the XSS attack prevention unless your code is doing something very silly already and eval'ing stuff from the DOM.
You can scan for a huge chunk of this with https://www.tinfoilsecurity.com, and we're adding more every day. Most importantly, you should make it a regular part of your Dev cycle.
Note: this isn't an ad, it just seemed relevant to those interested in a "cheat sheet." Automating it by calling out to our API seems really relevant. :)
The problem with your approach is that you are assuming that people are fine that scan for in production for security issues. While it is true that everyone does it, this arguments falls flat because there are plenty of systems which will avoid the risk and for good reasons.
I really really wish this didn't have to be the case. Legally, in order for us to show you results, we have to verify you have authorization / own the site. Part of doing that is to make you register. If we could show results without making you register and verify, we would, but we'd be on very very shaky legal ground if we did, for obvious reasons.
We're on report only at the moment, and it seems like every major JavaScript library depends on Eval() in one way or another (mostly new function()).
Just this week someone wanted to use Angular (1.3.1) and it generates dozens of CSP reports without ng-csp in the HTML element, but when the attribute exists $http responses (which depend on function()) aren't working (e.g. success(function(data, status, headers, config) {}).
Unfortunately Angular's documentation on CSP is a single page with nothing particularly helpful, and tons of stackoverflow results about Google Chrome extension development.
This is just the tip of the iceberg. Seems like every single major JavaScript library (even things you just take for granted) break CSP or need tons of exceptions.