> But wait... can't someone come along then and just create a more lenient policy called default? No! That will throw an exception!
Who is "someone" in this situation? And why are they able to execute arbitrary JavaScript code in the user's browser, yet the user is somehow protected by a string sanitization policy?
"someone" is probably a dependency you include that, for one reason or another tries to revert the policy to a lower level of enforcement. Might be because the dependency needs the lower security policy to work, or because it's a framework that comes with an insecure default, or might be because it accepted a couple PRs from JiaT75.
I think it's a sensible choice: try lowering the policy and everything blows up. Much better than the alternative of silently ignoring the call or, even worse, silently lowering the policy
If your whole codebase is written without anyone making mistakes then the new policy won't change anything for you. But if not - particularly if your codebase is large and written by many different people over time - then you should probably not assume it's free of all bugs and vulnerabilities. A policy that can be applied centrally to all pages by configuring headers gives you an extra runtime protection against certain kinds of high risk coding errors.
This is just like programs deliberately dropping privileges when they start - they don't use those privileges anyway so dropping them doesn't do anything, right? But of course dropping privileges is worthwhile because programs have bugs and some of those bugs are security vulnerabilities and dropping privileges can reduce the severity of exploits.
> But wait... can't someone come along then and just create a more lenient policy called default? No! That will throw an exception!
Who is "someone" in this situation? And why are they able to execute arbitrary JavaScript code in the user's browser, yet the user is somehow protected by a string sanitization policy?