I wrote a bookmarklet that analyzes the content on the current page and recommends a Content Security Policy based on the types of content it finds on the page and the sources of that content. The implementation also takes into account resources that are dynamically added to the page by JavaScript.
For instance, today I learned that ReCAPTCHA loads script both from api.recaptcha.net, but also from www.google.com. Note to self: figure out why Google needs to know about every ReCAPTCHA load.
You can test it out by clicking the following bookmarklet: Recommend CSP
If you find it useful, drag it to your bookmarks toolbar and you can use it from any web page. Feel free to check out the bookmarklet source as well.
In the future, I would like to add notifications for potential inline script violations.
I love it, thank you 🙂
Hi, you do a really good job! Thank you.
You said “In the future, I would like to add notifications for potential inline script violations.”
Have you done yet?
Please email me, thanks again!!
yep, i’ve find it in your new post.
Thanks!!