It’s not usual on this blog, but today I’m going to write about a proposal that might become real, but that is still at its very early stage.
It is now more than a year since we added a recommendation about Content Security Policy with our website analysis on dareboost.com. It’s a great feature to add more security to your website, particularly to prevent your visitors from the effects of an XSS attack.
The idea behind CSP is to allow website owners to offer a security policy that will next be applied by the web browser. For instance, it allows to whitelist explicitly some JavaScript files, or to ensure the use of HTTPs to request each resource within the page.
Tim Kaldec and Yoav Weiss borrowed the CSP general concept to apply it to web performance topic, proposing a new HTTP header (Content Performance Policy), allowing to declare precisely the compliance level of a given page with some web performance best practices. Then, the user agent would be responsible to ensure the effectiveness of the announced best practices. Continue reading Content Performance Policy: an alternative to Google AMP? →