Dahhhhhh. Retrofitting CSP to an established, legacy site with inline scripts and random CSS/js loaded from all over the place is damn stressful.

Why did I volunteer to sort this crap out... What a pleb.

  • 3
    On the other hand, it's a good opportunity to cut out the crap. Btw., loading third party shit is a security, reliability, and privacy issue anyway.
  • 1
    Can you programmatically insert a nonce into all script and style elements? You would - besides allowing required external scripts - now allow every script/style with this nonce.
  • 1
    @Fast-Nop Oh absolutely, it needs to be done, that's why I volunteered for it (wouldn't have been done otherwise.) It's just a bit of a thankless task.
  • 2
    @sbiewald I wish - it's complicated by the fact it's (in part) dynamically generated, so that's tricky. That's my goal as a first port of call (before removing all inline scripts entirely), but it requires some amount of work before I can get it to that stage.
Your Job Suck?
Get a Better Job
Add Comment