[voltagex_]

Is no one using them because there's little awareness of them in the wider web dev industry? Is no one using them because the courses being taught at the moment don't include security? Are they too hard to use? Are they not turned on by default?

[DyslexicAtheist]

yes to all of them? I love these concepts but who wants to maintain CSP's and audit revisions to 3rd party javascript in a fast moving environment (see my DevOps is crap rant below). Maybe I start a new project with best intentions, but then marketing comes, then there is pressure to just get on with it ... Even with best intentions, it's literally impossible to keep track as the system matures and complexity increases. And you eventually have to give up on auditing any of the external resources (who even does that in the first place - instead we all assume it has been properly checked by the upstream vendor).

Having a "security-ops meeting" to discuss whether we should really be using shiny new XYZ.js from another external provider isn't going to work either. It all seems like it's more of a mindset problem than a technical one. It's one hot mess.