GitHub's CSP journey

GitHub has implemented various strategies to address content injection vulnerabilities, notably through the use of a Content Security Policy (CSP), which has evolved significantly over the years. Initially, the CSP was relatively simple, allowing for certain trusted domains to maintain backward compatibility, but it has since been refined to include more restrictive directives as both the policy and browser support matured. The current CSP focuses on mitigating risks such as Cross Site Scripting (XSS) and scriptless attacks by restricting the sources of JavaScript, images, and other web resources, while also addressing specific vulnerabilities like HTML injection and dangling markup attacks. GitHub's approach includes both prevention and detection measures, with an emphasis on using dynamic CSP policies for specific endpoints to ensure a "least privilege" setup. Despite these advancements, GitHub acknowledges that no policy can completely eliminate all content injection threats, so it continues to explore additional defenses and strategies to mitigate potential attack vectors that CSP does not cover. The ongoing refinement of these policies and practices demonstrates GitHub's commitment to enhancing security while adapting to new challenges and research findings.