-
-
Notifications
You must be signed in to change notification settings - Fork 6.6k
CSP Improvements #37238
Copy link
Copy link
Open
Labels
topic/securitySomething leaks user information or is otherwise vulnerable. Should be fixed!Something leaks user information or is otherwise vulnerable. Should be fixed!type/proposalThe new feature has not been accepted yet but needs to be discussed first.The new feature has not been accepted yet but needs to be discussed first.
Description
Metadata
Metadata
Assignees
Labels
topic/securitySomething leaks user information or is otherwise vulnerable. Should be fixed!Something leaks user information or is otherwise vulnerable. Should be fixed!type/proposalThe new feature has not been accepted yet but needs to be discussed first.The new feature has not been accepted yet but needs to be discussed first.
82bfde2 added basic CSP, and I see some possible future improvements:
<meta>tag which has some limitations compared to a HTTP header which supports the full CSP feature set. According to this, some features do not work, specifically framing protections, sandboxing, or a CSP violation logging endpoint. Meta-tag has one distinct advantage though: When a header is also present, the browser will merge the directives from both sources, which could be desirable.*which means no restrictions.selfwould be desireable for improved security but it needs to be either opt-in or opt-out so users can still load resources from other origins like external render scripts and such.