Add contentSecurityPolicy Case to HttpEquiv Enumeration #153
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related to #152, another modern web standard that you can use to improve the security of https://pointfree.co is to define a Content Security Policy.
A CSP can be defined either in an HTTP header or a
<meta>
tag. I couldn't find a straightforward way to add a new default header to connections serving HTML responses, so I went with a<meta>
tag.To do this, I added a new
contentSecurityPolicy
case to theHttpEquiv
enumeration. With this in place, you could update your standard layout to include a newmeta
tag.As far as defining a CSP, the easiest way would be to simply hardcode a string. As an alternative, you might also consider this DSL I created.
I haven't tested this myself, but I believe that the following CSP would be valid for https://pointfree.co: