Right now the plugin checks for:
- Inline scripts
- Images and scripts with src attributes with http(s) protocols
- Use of eval or new Function
- setTimeout with a string param (this is only explicit usage of a string, not if it's passed as a variable)
- Attempting to load resources in CSS with http(s) protocols
Right now you need to clone this repo into your packages folder (typically ~/Library/Application Support/Sublime Text 2/Packages).
cd ~/Library/Application\ Support/Sublime\ Text\ 2/Packages git clone git://github.com/paullewis/CSP-Validator.git
Or on Windows:
cd c:\users\YOUR_ACCOUNT\AppData\Roaming\Sublime Text 2\Packages git clone git://github.com/paullewis/CSP-Validator.git
Please note: this is only an alpha release. Once all the issues are ironed out I'll request to be added to Package Control.
Just code away and all being well you will receive warnings as the plugin finds them. If for any reason you want to disable the warnings you can use Ctrl + Option + Shift + C (or Alt on PC instead of Option) to disable the plugin.