[spacefight]

> So don't load any external JS libraries on the key-generating pages.

And anywhere else. The local banks in my country are not doing this. And a wallet site shouldn't ether. Even the coinbase login screen pings olark.com all the time.

Oh, and if you look at their CSP report sending back home, the original-policy is quite scary.

"original-policy":"default-src https://www.coinbase.com https://*.olark.com; connect-src https://www.coinbase.com wss://ws.pusherapp.com https://api.mixpanel.com; font-src https://www.coinbase.com https://*.olark.com; frame-src https://www.coinbase.com https://*.wpstn.com https://h.online-metrix.net https://*.siftscience.com; img-src https://www.coinbase.com https://i2.wp.com https://secure.gravatar.com https://secure.etrust.org https://ssl.google-analytics.com data:; media-src https://www.coinbase.com https://*.olark.com; object-src https://www.coinbase.com https://*.olark.com; script-src https://www.coinbase.com 'unsafe-inline' 'unsafe-eval' https://stats.pusher.com https://cdn.siftscience.com https://*.newrelic.com https://*.google-analytics.com https://www.google.com https://www.youtube.com https://*.ytimg.com; style-src https://www.coinbase.com 'unsafe-inline'; report-uri https://www.coinbase.com/csp-report","referrer":"","violated... https://www.coinbase.com 'unsafe-inline' 'unsafe-eval' https://stats.pusher.com https://cdn.siftscience.com https://*.newrelic.com https://*.google-analytics.com https://www.google.com https://www.youtube.com https://*.ytimg.com"}}