Content Security Policy is a key tool in the battle against cross-site scripting attacks. Unfortunately, a recent study from Google reveals that web developers are shooting themselves in the foot where CSP is concerned. A pair of new tools from Google — CSP Evaluator and CSP Mitigator — are intended to help developers get it right.
CSP Evaluator is a new tool from Google that allows developers to visualise the effects of their site’s Content Security Policy. It’ll hopefully help developers choose secure content policies, and understand the inherent risk in disabling one of the main planks of a secure policy.
Thousands of developers have recognized that Content Security Policy is an incredible addition to their security toolkit, but many haven’t implemented it correctly. Together, CSP Validator and CSP Mitigator may contribute to creating a safer web by helping developers implement sensible CSP policies.