🧩 CSP, SRI, and Third-Party JavaScript Control Patterns

Intro: This page turns XSS-defense and third-party dependency guidance from the uploaded books into a compact engineering review model.

What this page includes

• practical CSP design choices
• when SRI helps and when it does not
• how to review third-party JavaScript in a product-security workflow
• modernization notes beyond older copy-paste header recipes

Why CSP still matters

CSP is not a silver bullet. It is a compensating and containment control that narrows which script sources may execute, helps reduce damage when templating or sanitization fails, and gives the team a deployable allow-list with telemetry.

Practical rollout pattern

1. List required first-party and third-party script origins for each high-value page class.
2. Start with report-only mode on representative traffic.
3. Reduce inline script debt deliberately using nonces or hashes where needed.
4. Move important surfaces to enforced policy.

Script-source decisions

A safer default is:

• self-host where practical;
• allow exact origins instead of wildcards;
• review every third-party script as code execution, not as “just telemetry.”

Questions to ask:

• Can this script read authenticated page content?
• Can it issue same-origin requests or invoke app actions?
• Can the vendor change behavior without your release process noticing?

SRI in the real world

SRI is useful for fixed-version static external assets, but it does not solve tag-manager chaining, runtime widget injection, or broad third-party trust. Inventory control and ownership remain essential.

Common failure modes

• broad script-src wildcards that survive forever after a rushed integration;
• unsafe-inline kept permanently because the team never budgeted remediation;
• tag managers treated as lower-risk than direct scripts;
• no owner for stale widgets, chat tools, or abandoned A/B test code.

Release criteria

• CSP reviewed per page class, not only globally
• every third-party script has a documented owner and purpose
• high-value pages reviewed for script minimization
• SRI used where external static assets are intentionally loaded
• CSP violations routed to telemetry with triage ownership

Related pages

• Browser Security Foundations: CSP, CORS, Cookies, and Sessions
• Third-Party Scripts, File Handling, and Frontend Supply Chain
• Security Headers and Reference Configurations

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.