couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kxepal <...@git.apache.org>
Subject [GitHub] couchdb pull request: Add Experimental Content-Security-Policy-Sup...
Date Sun, 18 May 2014 22:23:49 GMT
Github user kxepal commented on a diff in the pull request:

    https://github.com/apache/couchdb/pull/233#discussion_r12776692
  
    --- Diff: src/couchdb/couch_httpd_misc_handlers.erl ---
    @@ -79,6 +80,15 @@ handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) ->
     handle_utils_dir_req(Req, _) ->
         send_method_not_allowed(Req, "GET,HEAD").
     
    +maybe_add_csp_headers(Headers, "false") ->
    +    Headers;
    +maybe_add_csp_headers(Headers, "true") ->
    +    DefaultValues = "default-src 'self'; img-src *; font-src *; " ++
    +                    "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
    +    Value = couch_config:get("csp", "header_value", DefaultValues),
    +    Headers ++ [{"Content-Security-Policy", Value}].
    --- End diff --
    
    Well, `X-Content-Security-Policy` was used during experimental period: so can cover modern
IEs and older browsers with no cost. As for `X-XSS-Protection` you can say, that it's a part
of `CSP 1.1` spec which by the way covers some old browsers for today. In anyway, ignoring
IE is hard since we're doing Windows releases and it's still on the market (:


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message