CSP for Commento: Pros, Cons, and Policy Examples
If you embed Commento, your CSP gets more interesting fast. Comment systems are one of those features that look harmless in product planning and then quietly punch holes in an otherwise tight policy. You add one script, maybe an iframe, maybe an API endpoint, and suddenly your neat default-src 'self' turns into a pile of exceptions nobody wants to touch six months later. Commento is still one of the cleaner options compared to heavier third-party widgets. That’s the good news. The less-good news: the “right” CSP for Commento depends heavily on how you deploy it. ...