Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upInteraction with CSP. #3
Comments
This comment has been minimized.
This comment has been minimized.
|
I wonder if it would make sense to only ignore certain directives in the CSP (e.g. If we somehow found a satisfactory answer to this, I think it could be nice; that's because it would implicitly work like the versioning of CSP that many developers (hello, @devd!) have asked about in the past. |
This comment has been minimized.
This comment has been minimized.
This is my main concern.
I think I'd be most comfortable ignoring CSP if we had both I've done basically no work on the latter. Perhaps someone's interested in picking it up? @hillbrad might have some thoughts from FB's perspective, for example? |
This comment has been minimized.
This comment has been minimized.
|
heh .. sorry to beat the same drum, but would it be easier to make a new header CSPN: where script-policy is a new directive. Applications could serve the CSPN header and be aware that it will intersect (and so test wisely) and serve the old CSP header for browsers that don't support CSPN/script-policy. |
@arturjanc reasonably asks what the plan is when both a
Scripting-Policyand CSP are present on the same page. Do we enforce both? So we ignore the CSP?I think the right answer for the short term is to enforce both, assuming that the enforcement strategy and behavior for both is compatible. I think that should be the goal.
Ignoring the
Content-Security-Policyseems like the wrong thing to do in the absence of something like the confinement bits of the explainer, but maybe it's a simpler story for developers?