Unless your application has a large number of places that are vulnerable to
being incorrectly coded to output large user submitted text fields without
encoding or user submitted html content without sanitization checks, the
added value of this system is approximately zero.
Enabling this policy also makes it effectively impossible to use
temporary files, and forcing the web browser to submit secondary requests
to fetch them. That has major performance implications due to turn around
latency. It also seriously complicates the application development
For applications produced in an environment where developers are unaware or
unable to follow basic security practices, or where even a temporary
unpatched "XSS" vulnerability is a serious matter, it would be far better
to propose an extension where script tags needed to carry an attribute with
a generated value that matched a value supplied in the HTTP response
That would effectively eliminate any real possibility of the web browser
executing a hostile user submitted script, do to the impossibility of
predicting a match, and the change in the generated value on every request.