CSP for Email Templates and HTML Emails: Pros, Cons, Reality
If you build web apps, CSP is one of those controls that feels clean and satisfying. You define what the browser may load, block everything else, and sleep a little better. Then email shows up and ruins the neat mental model. CSP for email templates and HTML emails sounds like a natural extension of web security. Same HTML, same browser engine somewhere in the stack, same risks from injected content. But email clients are a different universe. Some strip tags. Some rewrite links. Some proxy images. Some ignore modern security controls entirely. And many of them treat your carefully crafted HTML like a suspicious package. ...