[niftich]

This tool they just released, is hopefully helpful, and will help site administrators craft specific CSPs for specific parts of their site -- other, more generic tools already exist.

On the HN thread on the cited study, I posted [1] that C-S-P is 'another damn header' that has to be included to stay secure and, unlike many of the 'other damn headers', its value is hopefully fine-tuned to the particular protected resource, unlike a site-wide hardcoded string.

I think more so than another configuration helper tool, what the Web really needs is a CSP rule engine evaluator that allows rules to be specified declaratively ahead of time, and integrates with some existing web framework to allow the resulting C-S-P value to be spliced into the outgoing response. Portions of this approach are implicitly proposed by OWASP here [2], but I've yet to see it written down formally, as opposed to just some code example. Widely adopting this approach would result in a paradigm shift that lifts C-S-P from 'just a header' to a first-class construct integral to the operation of the web application.

[1] https://news.ycombinator.com/item?id=12408680

[2] https://www.owasp.org/index.php/Content_Security_Policy#Coun...