The content security policy spec has been an amazing front-end security tool to help prevent XSS and other types of attacks. I’d go as far to say that every site should implement as specific CSP as possible. If you aren’t familiar with CSPs, here’s a quick example:
Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com
If a linked resource or content on the page doesn’t pass a given CSP rule, it wont be loaded. Of course getting a massive site to pass one CSP is difficult — just ask Facebook:
Browsers provide you CSP error and warning information in the web console but that doesn’t help developers prevent issues before a push to production. Enter seespee — a Node.