Comments (15)
I knew I would have to do some kajiggering with the FF changes. I'll take a look.Thanks!
from helmet.
I have the following on FF21.0:
The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead.
from helmet.
I plan on setting both for backward comparability for a bit. Any thoughts on that?
Adam Baldwin
CSO | &yet
On Jun 22, 2013, at 5:23 AM, Remo E [email protected] wrote:
I have the following on FF21.0
The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead.
—
Reply to this email directly or view it on GitHub.
from helmet.
Seeing this on Chrome 28. I'm okay with backwards compatibility...
from helmet.
I don't really want to add browser sniffing to set headers differently,
but it might have to be the case in the end. CSP is such a mess right
now....
John Weis wrote:
Seeing this on Chrome 28. I'm okay with backwards compatibility...
—
Reply to this email directly or view it on GitHub
#7 (comment).
from helmet.
also csp breaks safari for me when using the x-webkit-csp header
from helmet.
bah, I really wish browsers had their crap together and all used the
same header / standard....
I really didn't want to have to add browser sniffing but it looks like I
might have to.
Nilos wrote:
also csp breaks safari for me when using the x-webkit-csp header
from helmet.
I had this code floating around for browser sniffing. Might help. Requires ua-parser module.
// content_security_policy.js
var browser = require('ua-parser'),
firefoxHeader = 'X-Content-Security-Policy',
webkitHeader = 'X-WebKit-CSP',
standardHeader = "Content-Security-Policy";
// UA Test Cases
var uaFF = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0';
console.log(browser.parseUA(uaFF).toString());
var uaIE = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)';
console.log(browser.parseUA(uaIE).toString());
if (browser.parseUA(uaIE).toString().match(/Firefox/)) {
console.log('here');
headerType = firefoxHeader;
}
else if (browser.parseUA(uaIE).toString().match(/IE/)) {
console.log('here IE');
headerType = standardHeader;
}
else {
console.log('here Webkit');
headerType = webkitHeader;
}
from helmet.
I've just made a pull request to include user agent testing for csp.js.
from helmet.
You can link to a pr by just putting hashtag and the Number here like this: #16
from helmet.
Like the idea of moving towards the CSP 1 headers instead of the X-* variants. What about handling this via project semver? Keep 0.0.x for X-* headers and move to 0.1.x for the non X-* headers. Thoughts?
from helmet.
Yeah I'm kind of gridlocked as to what to do. I really don't like / want
to support legacy prefixed headers but I don't want to leave those
browsers out in the cold as to CSP support.
Looking for any other ideas before I just go ahead and merge in the
browser sniffing code, etc....
angleman wrote:
Like the idea of moving towards the CSP 1 headers instead of the X-*
variants. What about handling this via project semver? Keep 0.0.x for
X-* headers and move to 0.1.x for the non X-* headers. Thoughts?—
Reply to this email directly or view it on GitHub
#7 (comment).
from helmet.
It would be so much easier just having to support the CSP 1 specs, but several current browsers are still relying on the prefixed headers (see http://caniuse.com/contentsecuritypolicy). Even if they all moved to CSP 1 for the next version many of those browsers will still be around for quite a while. And anyone implementing CSP for their site would want to cover as many of their users' browsers as possible.
from helmet.
What about a legacy flag, like helmet.csp({legacy:true}))
? If set, then send the X-* variants also. Then the legacy flag could be depreciated say when CSP 1.1 is finalized and sometime after that when the quantity of legacy browsers in the wild is small, then remove the legacy flag entirely.
from helmet.
Addressed by c0f695d.
from helmet.
Related Issues (20)
- Getting Error Type 'typeof import("/home/quophyie/projects/helmet-issue/node_modules/helmet/index")' has no call signatures when running tests with jest, ts-jest when using ESM / ECMAScript Modules HOT 13
- helmet + sanitizeFilter HOT 1
- Require Node 18+ HOT 5
- Support `unsafe-none` in `helmet.crossOriginEmbedderPolicy`? HOT 1
- Typescript required versions HOT 2
- 7.1.0 Rollup error HOT 17
- Disable HSTS headers by default on localhost HOT 9
- Error "script-src-elem" is an invalid directive HOT 3
- 'self' and 'none' values lack quotes HOT 4
- swagger HOT 2
- Getting Name of Blocked Script? HOT 3
- Increase default Strict-Transport-Security maxAge to 1 year HOT 3
- remove block-all-mixed-content from helmet-csp default directives HOT 6
- helmet default directives doesnt match helmet-csp default directives HOT 3
- Strict-Transport-Security middleware should throw, not warn, when misspelling "includeSubDomains" option HOT 2
- Content-Security-Policy `getDefaultDirectives` should return a deep copy HOT 3
- csp header lack `script-src-elem` HOT 4
- [feature request] "simple allow everything" setting for development work? HOT 6
- Question: XSS HOT 3
- Request to add `Permissions-Policy` header HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helmet.