

Content Security Policy: A Primer - Isofarro
http://mikewest.org/2011/10/content-security-policy-a-primer

======
alperakgun
Good idea but white listing seems inflexible for all web sites, now that most
innovation takes place on ready sharing on social networks.

~~~
mikewest
CSP doesn't block you from using social networking widgets: it does insist,
however, that you specify up front which widgets you'll be using, and to
whitelist those domains. If you trust Facebook's JavaScript, for example, you
can certainly include it on your site. You'll need to whitelist the
appropriate domain for framing or scripting, that's all.

------
barefoot
Would jQuery still function?

~~~
mikewest
As long as it's in an external JS file, sure. CSP simply prevents you from
calling script inline. `<script>#('something').hide();</script>` wouldn't
work: you'd have to move your JavaScript code into an external file.

For example, you could load the library from Google's CDN by whitelisting the
origin via `script-src <http://ajax.googleapis.com/`> and pulling the script
via `<script type='text/javascript'
src='[http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min...](http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js></script>`).

