Are you in charge for your CSP : Javascript

With all the attacks that have been where foreign Javascript has intercepted entries of credit card information (and everything else), then it is obvious to talk a little about CSP.

CSP - Content Security Policy is a simple directive that tells the browser how the contents of our website should be served.

For example. Can you create a CSP that requires this page to be displayed over HTTPS, (And the rest is up to your redirects to get it out), but there are also the basics that indicate how the browser should load javascript. For example. So (according to our CSP) our site ( allows you to load internal javascript files ONLY - but allow eg. that external CSS files (fonts we use on the page) can be loaded without any problems. We have specified this by putting an HTTP headerCSP, Content Security Policy is a great tool that allows us to instruct the browser on which sources it can retrieve material from. In this case Javascript. So if you want to avoid "foreign" javascript on your pages, the CSP script src is the way forward. I spoke to a developer the other day saying that it was not an issue, as they always opened a new payment window with the payment provider in their solutions. So far so good (Although it now looks more delicious with payment integrated on the site itself) - but the challenge here is that virtually all other information you enter on the page, such as email, name and other contact information will be sent to whom anytime.