In this lesson, we'll learn how to disable all external content srcs other than the specific types of external resources we need. For the types of external resources we need, we'll limit those resources to only nonce-matching resources. This will effectively mitigate all forms of XSS, using the principle of least power to only enable needed capabilities, and drastically reducing the surface area of possible attacks on our website.
Hi! Thanks for the great course! The question is why not just take care of preventing code injection with validation/sanitization of user input for XSS?
Hi Nat! You should definitely do both validation/sanitization AND use CSP. In earlier lessons, I explain that you should always use a "defense in depth" approach to security. That is, if there are two ways to protect, do both in case one of the fails. In this case, input sanitization should always be done but it's important to recognize that it's also error prone and difficult to always do it successfully. With CSP, you get an extra layer of protection :-)
For example, see this article that describes an XSS vuln that was found in Gmail's AMP implementation but wasn't exploitable because of gmails CSP policy: https://mypc.guru/google-developers-fixed-gmail-dynamic-messaging-xss-vulnerability/
Thanks, Mike! You've been very helpful