I wrote up my thoughts on detecting content injection into sites. It came down to:
- Use HTTPS
- Use Content Security Policy (CSP)
The issue being CSP has low adoption with a poor developer experience. It got me thinking about how it could be improved and fit into a model that I think is more amiable to most developers. A little bit of back story.
CSP is a declarative language that describes to the browser how it should manage requests made by a page to the network.
There is nothing inheritnelty wrong with this, it's just that I find the syntax hard.
Will we get imperative Content Security Policy with Service Worker for free.
I lead the Chrome Developer Relations team at Google.
We want people to have the best experience possible on the web without having to install a native app or produce content in a walled garden.
Our team tries to make it easier for developers to build on the web by supporting every Chrome release, creating great content to support developers on web.dev, contributing to MDN, helping to improve browser compatibility, and some of the best developer tools like Lighthouse, Workbox, Squoosh to name just a few.