A warning when using the Content-Security-Policy header: it will break almost all third-party Javascript snippets on your site. Most of these snippets are designed to be inline scripts, which is usually a feature you want to disable with content security.
Definitely true. Analytics snippets thwarted our last attempt at CSP.
A nice side effect at the attempt at least was, we completely stopped writing inline script of our own in the app, so the exercise was not without gains. A highly recommended goal.
A warning when using the Content-Security-Policy header: it will break almost all third-party Javascript snippets on your site. Most of these snippets are designed to be inline scripts, which is usually a feature you want to disable with content security.
Definitely true. Analytics snippets thwarted our last attempt at CSP.
A nice side effect at the attempt at least was, we completely stopped writing inline script of our own in the app, so the exercise was not without gains. A highly recommended goal.
This is why the “Submit to Lobsters” snippet doesn’t work on GitHub repo pages.