Topic on Talk:Requests for comment/Content-Security-Policy

I also like the general direction, as well as the phased approach. Some thoughts / notes off the top of my head:

• HTML and SVG responses from APIs are also a good target for CSP headers. As an example, the REST API already sends CSP headers disallowing unsafe inline scripts, and limits style loading to a few domains. This can be further tightened down, especially for media.
• JSON API responses containing HTML do not directly profit from CSP protection, and are commonly used in a way that requires the HTML to be properly sanitized. Having restrictive CSP headers on the parent page should be able to mitigate some issues from injected content, but probably not all of them. We should be clear about which issues cannot be addressed by CSP.

• Agree 100% about API responses. I also think things like serving images from Special:Undelete would also be a good target
• Indeed CSP will certainly not solve every security problem. In the JSON API case, at best it might help things if there is an insecure script on wiki, using the json response in an insecure way (That is, just throwing the html contents of some part of the json into innerHTML or something)