
Content Security Policy by API - jbaviat
https://www.npmjs.com/package/csp-by-api
======
jbaviat
Very nice idea behind this project, that's something that could be generalized
to offer vendors a nice API way to share their recommended CSP policies to
their users.

For as much as I know, segment.io or intercom.io are still very painful to use
with CSP.

~~~
nailer
Thanks! Yeah, right now it's mainly the services we use at CertSimple and
Mashape (who've contributed). So we have olark in there, because we use it,
but not intercom.

Also finding required CSP is often trial and error, since vendors don't
publish CSP settings. For example, Stripe do, Braintree don't and refused to
when asked.

Best way to have the vendors would maybe be as npm modules - eg, Stripe could
publish and update 'stripe-csp'. It's not ideal through as npm is JS specific
as someone might be using Ruby or Python or Elixir or Java. But since there's
no cross language repo, maybe npm as a JSON repo is a good idea.

~~~
jbaviat
So actually I've asked WebAppSec about any similar project, let's see how it
goes ([http://lists.w3.org/Archives/Public/public-
webappsec/2017Nov...](http://lists.w3.org/Archives/Public/public-
webappsec/2017Nov/0020.html)).

