Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Standard header only #75

Merged
merged 8 commits into from Nov 11, 2013

Conversation

Projects
None yet
4 participants
Collaborator

oreoshake commented Nov 5, 2013

Rips out all browser-specific CSP handling and only serves the standard header.

A followup: I'd like to rip out the brwsr gem and not do any UA sniffing. This will mean more headers are sent...

Fixes #73

Neil Matatall added some commits Nov 4, 2013

Collaborator

oreoshake commented Nov 5, 2013

@bemurphy this rips out a lot of your code. The separation really helped :)

Contributor

bemurphy commented Nov 5, 2013

whoa time machine. @oreoshake cool glad it helped!

Neil Matatall added some commits Nov 5, 2013

@reedloden reedloden commented on an outdated diff Nov 5, 2013

# script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows
# you to whitelist inline script blocks. For more information, see
# https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce
- :script_nonce => { 'abc123' }
-
- # you can also use lambdas to use dynamically generated nonces
- :script_nonce => lambda { @script_nonce] = 'something' }
+ :script_nonce => lambda { @script_nonce] = 'something' }
@reedloden

reedloden Nov 5, 2013

Contributor

This seems like a typo... What's with the ']' just hanging there?

@reedloden reedloden commented on the diff Nov 5, 2013

README.md
# script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows
# you to whitelist inline script blocks. For more information, see
# https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce
- :script_nonce => { 'abc123' }
@reedloden

reedloden Nov 5, 2013

Contributor

Did you mean to remove this?

@oreoshake

oreoshake Nov 5, 2013

Collaborator

yeah, using a static nonce is not something I would encourage :) in fact, I should rip out https://github.com/twitter/secureheaders/blob/master/lib/secure_headers/headers/content_security_policy.rb#L216 too

Contributor

reedloden commented Nov 5, 2013

I support ripping out brwsr and just sending more headers... Honestly, I send most of these via Apache or nginx rules anyway.

Looks good to me but I'm not really an expert.
🐂

@oreoshake oreoshake pushed a commit that referenced this pull request Nov 11, 2013

Neil Matatall Merge pull request #75 from twitter/standard_header_only
Standard header only
b4013c4

@oreoshake oreoshake merged commit b4013c4 into master Nov 11, 2013

1 check passed

default The Travis CI build passed
Details

This was referenced Nov 11, 2013

@caniszczyk caniszczyk deleted the standard_header_only branch Mar 26, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment