This is a question for people who have enabled a Content Security Policy header on their website.
Using Content Security Policy headers requires you to remove all inline CSS and Javascript, which is why I have not done it.
Inline CSS and Javascript is critical for speed. How do you balance this?
This is a huge dilemma for me, because reducing HTTP requests by inlining CSS/JS makes the site faster.
However, I've read so many articles saying that a Content Security Policy is your number one defense against cross site scripting (XSS) attacks.
What to do?
Top comments (3)
How big is the speed disadvantage when CSP is active? Will it matter to your target audience?
An HTTP request is ~600 ms in my experience. I would need at least two more requests to remove inline JS and CSS, which would add ~1.2s of load time. Youthful people care about speed, which is my target audience. I suppose that's my answer, thanks.
Have you measured this or is this an estimation? Which bandwidth did you use? Young people usually also care about a provider with good bandwidth. I would always favour security before performance. If you can prevent xss with.other mechanisms then it's fine. By the way this a typical use case for a beta test with a-b setup to see if CSP will really have an impact on user experience.