Lukas Weichselbaum

Thanks for confirming @AnujRNair! I think that CSP can serve as strong defence-in-depth mechanism, if configured properly. Unfortunately, it's very easy to misconfigure a CSP and by that making it...

Thank you! > Any secure CSP will break most projects and will only be fixable by users who understand CSP in the first place. I think it's possible to have...

Unfortunately, hashing of external scripts is currently only supported in Chromium-based browsers (see [web-platform-tests](https://wpt.fyi/results/content-security-policy/script-src/script-src-sri_hash.sub.html?label=master&label=experimental&aligned)). This means that while hashed external scripts would load e.g. in Chrome and Edge, they'd get...

These are interesting questions! On the one hand it would be nice to have a way to allow "trusted" eval via trusted types as it would simplify the rollout of...

+1 I'd be nice, if we would not have to set 3+ headers for configuring reporting :) Another straw-person proposal based on the previous proposal from @clelland -- since report-to...

I'm not particularly worried about the 'cheating' aspect, as developers can simply choose not to use this new keyword if that's the concern. Moreover, CSP is generally not well suited...