Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'strict-dynamic' isn't injected into CSP Report-Only #56

Closed
aidantwoods opened this issue Jul 26, 2017 · 0 comments
Closed

'strict-dynamic' isn't injected into CSP Report-Only #56

aidantwoods opened this issue Jul 26, 2017 · 0 comments
Labels
bug
Milestone
Version 2.0.1

Comments

@aidantwoods
Copy link
Owner

aidantwoods commented Jul 26, 2017
edited
Loading

When enabling strict mode, 'strict-dynamic' is opportunistically injected into CSP but not 'strict-dynamic'. There's no documentation that indicates this is only for enforced policies (and seems to go against the idea of ->cspro behaving like ->csp – in a different mode). Therefore I see no reason for BC break (from intended behaviour), and it's not really a new feature either – hence can probably be a bugfix release.

Should probably add a config for disabling/enabling this opportunistic injection in strict mode too in each header (one might want to deploy slightly different policies in each header to trial run a CSP in report mode before using enforce).

Conscious of a potential "configuration overload" approaching here, we're building up quite a few configuration options. Will open a separate issue to discuss possibly cleaning some of this up, see #57.
@aidantwoods aidantwoods added this to the Version 2.0.1 milestone Jul 26, 2017
This was referenced Jul 26, 2017
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
Version 2.0.1
Development

No branches or pull requests
1 participant
@aidantwoods