When enabling strict mode, 'strict-dynamic' is opportunistically injected into CSP but not 'strict-dynamic'. There's no documentation that indicates this is only for enforced policies (and seems to go against the idea of ->cspro behaving like ->csp – in a different mode). Therefore I see no reason for BC break (from intended behaviour), and it's not really a new feature either – hence can probably be a bugfix release.
Should probably add a config for disabling/enabling this opportunistic injection in strict mode too in each header (one might want to deploy slightly different policies in each header to trial run a CSP in report mode before using enforce).
Conscious of a potential "configuration overload" approaching here, we're building up quite a few configuration options. Will open a separate issue to discuss possibly cleaning some of this up, see #57.
When enabling strict mode,
'strict-dynamic'is opportunistically injected into CSP but not'strict-dynamic'. There's no documentation that indicates this is only for enforced policies (and seems to go against the idea of->csprobehaving like->csp– in a different mode). Therefore I see no reason for BC break (from intended behaviour), and it's not really a new feature either – hence can probably be a bugfix release.Should probably add a config for disabling/enabling this opportunistic injection in strict mode too in each header (one might want to deploy slightly different policies in each header to trial run a CSP in report mode before using enforce).
Conscious of a potential "configuration overload" approaching here, we're building up quite a few configuration options. Will open a separate issue to discuss possibly cleaning some of this up, see #57.