How to detect Content Security Policy (CSP)

Question

I noticed that GitHub and Facebook are both implementing this policy now, which restricts third party scripts from being run within their experience/site.

Is there a

Answer 1

Currently, there is no way to do so in shipping browsers.

However, something such as the following should work, per spec, and does in Chrome with experimental web platform features enabled in chrome://flags/:

function detectCSPInUse() {
  return "securityPolicy" in document ? document.securityPolicy.isActive : false;
}

The SecurityPolicy interface (what you get from document.securityPolicy if it is implemented) has a few attributes that give more detail as to what is currently allowed.