Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Send the right header #8

Closed
jsocol opened this Issue Jul 13, 2012 · 7 comments

Comments

Projects
None yet
2 participants
Member

jsocol commented Jul 13, 2012

Firefox uses X-Content-Security-Policy, Chrome uses X-Webkit-CSP. We should do some basic UA-detection, and send the right header. And probably set Vary: User-Agent.

Contributor

graingert commented Jul 16, 2012

The spec is Content-Security-Policy

I'd recommend setting them all to the same value

Member

jsocol commented Jul 16, 2012

No browser currently implements the spec (IE 10 also partially supports X-Content-Security-Policy), and in practice can be a very, very long list. Now that policy-uri is gone from the spec, sending all 3 to every browser is a ton of data to send in every response header.

Someday, hopefully soon, we can just support Content-Security-Policy but until that day sending 3 versions, one guaranteed to be unused by any browser, is just a lot of data.

Contributor

graingert commented Jul 24, 2012

if X-Content-Security-Policy and X-Webkit-CSP both support policy-uri then you can use those with just the uri.

Then Content-Security-Policy can be used with the full policy

Member

jsocol commented Jul 24, 2012

Neither browser supports policy-uri and it's been removed from the spec. :(

Contributor

graingert commented Jul 24, 2012

last time I tried it X-Content-Security-Policy was behind the spec and used policy-uri

Member

jsocol commented Jul 24, 2012

I'm going by
https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives

On 7/24/2012 6:07 PM, Thomas Grainger wrote:

last time I tried it X-Content-Security-Policy was behind the spec and used policy-uri


Reply to this email directly or view it on GitHub:
#8 (comment)

James Socol
Community Platforms Manager
james@mozilla.com
@jamessocol

Contributor

graingert commented Jul 24, 2012

Perhaps a good solution would be a django.conf.settings attribute that defaults to set(("X-Content-Security-Policy"))

@graingert graingert added a commit to graingert/django-csp that referenced this issue Jul 24, 2012

@graingert graingert set headers from settings.CSP_HEADERS #8 5f87bae

@jsocol jsocol closed this in e34cbde Oct 31, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment