• @[email protected]
      link
      fedilink
      48 months ago

      Unfortunately, retrofitting CSP on an existing site can be nightmare, especially if you have external dependencies. At my job, we spent months trying to enable CSP on one our oldest sites, but ultimately gave up because one of our dependencies won’t work unless we added “unsafe-inline” everywhere, which kinda defeats the whole point of CSP.

      • @[email protected]OP
        link
        fedilink
        28 months ago

        Having something is better than nothing! In our case, having connect-src enabled would have avoided the incident.