Talk:Content Security Policy
I don't think this belongs correctly to the OWASP Java Project since CSP deals with browser security and server-client protocol (HTTP headers), independently of the specific server implementation. You can send the CSP headers from any possible HTTP server - Java, ASP, PHP/Apache, NodeJS etc. Personally, I find that the lengthy Java implementation example may distract from the main issues and the choices / tradeoffs that people thinking about implementing the CSP in their sites would have to make. Also, regarding the following:
> Inline script will be allowed because inline scripting it's commonly used (can be disabled if target site do not use this type of scripting)
I think this does not make it clear that unsafe-inline removes a lot of anti-XSS protection and therefore most of the benefits of using the CSP.
> This article is based on version 1.1 of the W3C specification. I believe 1.1 is not yet fully complete, and the implementations are based mostly on 1.0 (need to double-check). I think 1.0 would be the better fit for this page - need to look into how significant the changes are.