Requiring CSP protection for Datasette plugins and custom templates?

[simonw]

As you may have seen, I found a XSS security vulnerability in Datasette and released patches for it yesterday: GHSA-xw7c-jx9m-xh5g

XSS is a really common and really nasty security hole. I'd like to reduce the chance of these holes - in both Datasette and its plugin ecosystem - as much as possible.

So I'm considering adopting a strict CSP policy across the project, which would make it much harder for any XSS hopes to be exploited at the cost of making it a tiny bit harder to write plugins and custom templates that add their own custom JavaScript.

I have a research issue fill of thoughts about this here - #1362 - would love to get more opinions!

[simonw]

Adopting this now before the Datasette 1.0 release could have a big positive impact on the overall security of the Datasette ecosystem going forward, so now is a great time to talk about it!