-
Notifications
You must be signed in to change notification settings - Fork 42
Remove browser sniffing #97
Comments
I think it's fine to do this in a major version bump. Which browsers still need the old header exactly? On the other hand having it disabled by default, does it slow down things still? |
Browsers have varying support for CSP. Some use different headers (like |
Definitely 👍. We've been running with browser sniffing off since #32 landed -- my biggest concern at that time was the cacheability of browser-sniffed requests. |
TBH I too have browser sniffing off for years. |
👍 I had to turn off browser sniffing too and reasons for removal make sense. |
This has been addressed in I'm going to be archiving this repository soon and moving everything to https://github.com/helmetjs/helmet/, so feel free to open an issue there if you run into any problems. |
I plan to remove browser sniffing from the next major version of
helmet-csp
.Different browsers have different support for Content Security Policies. Some only support certain directives, where some have different headers (like
X-Webkit-CSP
). Currently, this module sniffs the browser'sUser-Agent
to figure out what headers to set. However, I'm planning to remove this from the next major version.My reasons:
User-Agent
is slower and uses more memory.I opened this issue to track the work, but mostly to solicit feedback. If you rely on browser sniffing and would be sad to see it go, or if you have other thoughts, let me know!
The text was updated successfully, but these errors were encountered: