@simon CSP is probably a good second layer of security, no matter what you end up doing.