>
> I do wonder (like Brian) whether this is really CSP, or something
> separate; it seems like a lot of things are getting shoved into CSP because
> that’s the tool at hand…
>
>
This 'CSP as a kitchen sink' issue has been a concern for some time (since
CSP was first proposed, as i understand it) and it does seem to be
happening to some degree.
Along these lines I will cite what I consider to be the most interesting
piece of
https://www.veracode.com/blog/2014/10/security-headers-top-1000000-websites-october-2014-report
here :
"One thing that seems clear; simple, single purpose security headers
continue to have wider adoption because their effects are well known and
they are extremely easy to configure."
the article then goes on to argue that this is one reason CSP sees lower
adoption but i personally think it's more about nonce and hash whitelisting
of selected inline scripts and getting those shaken out in implementations.
cheers,
ian