Hacker News new | past | comments | ask | show | jobs | submit login

Maintaining the list for the most popular sites is not a huge ordeal. You have a bug tracker where people can submit issues, when you get one you take a few minutes to check that the whois matches the main site and the page actually links the script in a way consistent with what we want to approve, and the opposite if you get a report of something having changed the other way. An individual could do it by spending a few hours a month.

For less popular sites, the user can add it manually, or the site operator notices their site is broken for increasingly many users and stops linking scripts from other domains.

> And, for fun, on the other side I believe a few years ago google's in house public hosting of jQuery received a bad push and was serving a tainted package for a while... even the good actors can mess this up.

That's an independent problem. You could have the same thing happen for actual first party scripts.

And in this context if they're really good actors then they fix it as soon as it's discovered, and if they're not then you take them off the approved list.

It can be done and can be pretty nice. I got to around 30 websites myself with just custom CSP policies for each and plenty of ideas what to do next. Like making CSP policies composable, so I can define a rule for say recaptcha and include it for websites that use it and things like that. Javascript walls (cloudflare, sucuri, etc.) is another problem, you wouldn't want to enable javascript just to pass them and you wouldn't want to pass them automatically as it would allow websites to enable javascript. They also may include recaptcha, etc. Still, nothing that can't be solved.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact