Which Sites have Content Security Policy to prevent XSS

I was interested in looking at the leaderboard for the sites that enable content security policy which offers a certain protection from third party JS used to attack a first party site (like recent GitHub attack)

SELECT domain(url) as domainname, count(*) as num
FROM [httparchive:runs.latest_requests]
WHERE lower(respOtherHeaders) contains "content-security-policy" 
GROUP BY domainname 
ORDER BY num desc

which shows Twitter, Google and GitHub to be leaders (sadly expected to see more bigname properties also enable it…hint hint :wink:

Awesome work, @pganti! Here’s a similar query I did in the past.


Looks like there’s been some decent adoption since then.

BTW, much of the work getting CSP in place at twitter and github is the work of Neil (@ndm).