Recommended Content Security Policy #49
Comments
|
@konklone is this still relevant? Just resurfacing from 2016 :D |
|
Well, CSP still exists, but I'm honestly not sure what I was recommending in this one... CSP would be relevant to a website that is embedding DAP, but I don't see what the DAP code itself would need to do. Possibly you could give guidance to agencies about using CSP when they embed DAP? But even there, you would just be saying that it's generally good to use CSP, but if they do use it, to make sure they carve out the DAP code to be allowlisted so that it could continue to function. But if you're not already seeing breakage due to over-aggressive CSP use, then it's really not that important. That's all to say I think this can be closed. |
|
We have an issue where our CSP specifies It would be helpful if DAP outlined a CSP that was recommended, known to work, and complied with security requirements. |
|
@smarina04 I think this is very much still relevant. In terms of the actual work here, I support @raybaxter's request for the DAP team to document the recommended approach(es) for using DAP with a content security policy. See for example Google's guidance on using a content security policy that works with Google Analytics 4. Something like this for DAP would be amazing. My team recently had to go through a lot of trial and error to determine a content security policy that worked with DAP and I was surprised this wasn't a solved problem. Adding support (or documenting existing support) for using content security policy nonces would also be great, but I think might be a separate issue. |
Content Security Policy is a method for websites to inform web browsers of what policies they should apply to downloading/executing/embedding scripts and other resources.
Support is reasonably wide for CSP1 and CSP2. CSP3 is still in draft.
The text was updated successfully, but these errors were encountered: