https://github.com/mikewest/csp-next … is a thought experiment: what if we broke CSP in half, removed some esoteric options, and built policy primitives that specifically targeted XSS on the one hand, and resource confinement on the other?
I like the Scripting-Policy part, which gives a good focus on XSS (and should be where most website developers start); but Resource Confinement is probably more powerful with the current CSP syntax (maybe with some bits deprecated).