Good idea but white listing seems inflexible for all web sites, now that most innovation takes place on ready sharing on social networks.

CSP doesn't block you from using social networking widgets: it does insist, however, that you specify up front which widgets you'll be using, and to whitelist those domains. If you trust Facebook's JavaScript, for example, you can certainly include it on your site. You'll need to whitelist the appropriate domain for framing or scripting, that's all.

Would jQuery still function?

As long as it's in an external JS file, sure. CSP simply prevents you from calling script inline. `<script>#('something').hide();</script>` wouldn't work: you'd have to move your JavaScript code into an external file.

For example, you could load the library from Google's CDN by whitelisting the origin via `script-src http://ajax.googleapis.com/` and pulling the script via `<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min....