Graduated in Digital Media M.Sc. now developing the next generation of educational software. Since a while I develop full stack in Javascript using Meteor. Love fitness and Muay Thai after work.
With a CSP in place, marketeers can no longer just add a cool new tracking-script via Google Tag Manager or similar. So: be prepared to hear a lot of complaints, unless you create a CMS-block, where they can add/remove CSP entries themselves!
No offence, but no marketeer or sales person will ever get my permission or an implementation to change any part of the CSP on their own.
I'm a web developer, graphic designer, type designer, musician, comicbook-geek, LEGO-collector, food lover … as well as husband and father, located just south of Copenhagen, Denmark.
I've worked for clients who removed a CSP-implementation or chose not to have a CSP, because marketeers wanted the freedom to implement any script via Google Tag Manager. In these cases, a CMS-block is much better than not having a CSP, although it's dangerous territory, and I agree with you.
Graduated in Digital Media M.Sc. now developing the next generation of educational software. Since a while I develop full stack in Javascript using Meteor. Love fitness and Muay Thai after work.
Why am I not surprised that some clients literally come up with such decisions :-/
But under these circumstances I totally agree - better having them edit (a part of) the CSP than having none. I wonder if this would be implemented in a workflow, where the system (using include/exclude lists) or a human can review these edits, before actually publishing them.
I'm a web developer, graphic designer, type designer, musician, comicbook-geek, LEGO-collector, food lover … as well as husband and father, located just south of Copenhagen, Denmark.
No offence, but no marketeer or sales person will ever get my permission or an implementation to change any part of the CSP on their own.
I've worked for clients who removed a CSP-implementation or chose not to have a CSP, because marketeers wanted the freedom to implement any script via Google Tag Manager. In these cases, a CMS-block is much better than not having a CSP, although it's dangerous territory, and I agree with you.
Why am I not surprised that some clients literally come up with such decisions :-/
But under these circumstances I totally agree - better having them edit (a part of) the CSP than having none. I wonder if this would be implemented in a workflow, where the system (using include/exclude lists) or a human can review these edits, before actually publishing them.
Yes, any changes to the "CSP-config-block" can be previewed and verified before published.