1. 15

  2. 6

    A warning when using the Content-Security-Policy header: it will break almost all third-party Javascript snippets on your site. Most of these snippets are designed to be inline scripts, which is usually a feature you want to disable with content security.

    1. 3

      Definitely true. Analytics snippets thwarted our last attempt at CSP.

      A nice side effect at the attempt at least was, we completely stopped writing inline script of our own in the app, so the exercise was not without gains. A highly recommended goal.

      1. 3

        This is why the “Submit to Lobsters” snippet doesn’t work on GitHub repo pages.