CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, by Google Research
Jared Sperli stashed this in security
To save this post, select a stash from drop-down menu or type in a new one:
Geez, from studying 100 billion pages from 1 billion domain names:
14 out of the 15 domains most commonly whitelisted for loading scripts contain unsafe endpoints; as a consequence, 75.81% of distinct policies use script whitelists that allow attackers to bypass CSP. In total, we find that 94.68% of policies that attempt to limit script execution are ineffective, and that 99.34% of hosts with CSP use policies that offer no benefit against XSS.
That looks like fun but on the other hand it seems kinda heavy to carry around.
It's actually a solution to both security and obesity.