Advanced CSP Techniques

Modern CSP specifications include advanced features that provide even stronger protections. The 'strict-dynamic' directive allows scripts to load additional scripts without explicitly whitelisting them, useful for applications using module loaders or dynamic imports. This directive trusts scripts to load other scripts responsibly while still blocking parser-inserted scripts that XSS attacks typically use. Combined with nonces or hashes for initial script loading, 'strict-dynamic' provides both security and flexibility.

Trusted Types, a newer addition to CSP, addresses DOM-based XSS by requiring special typed objects for dangerous DOM APIs. Instead of allowing strings in innerHTML or document.write, Trusted Types enforce that only TrustedHTML objects can be used. This creates a clear boundary between validated, safe HTML and potentially dangerous strings. While browser support is still growing, Trusted Types represent the future of DOM XSS prevention and can be polyfilled for broader compatibility.

CSP reporting provides valuable security telemetry. Configure report-uri or report-to directives to collect violation reports, but be prepared for noise from browser extensions and third-party modifications. Implement filtering to identify genuine violations versus false positives. Some organizations use CSP reporting as an early warning system for XSS attempts, investigating unusual violations that might indicate attacks. Regular analysis of CSP reports can also identify opportunities to tighten policies further.